Hola CEO adios VPN botnet
Hola's claims that security vulnerabilities with its VPN are unjustified have been labelled by researchers as "simply false" Hola

The CEO of virtual private network (VPN) provider Hola has denied allegations that using its service puts its 47 million users at risk of being part of a botnet.

Ofer Vilenski attributed the vulnerabilities recently exposed by researchers to "growing pains" and said that some of them had since been addressed, however such claims have been disputed by security researchers.

"There have been some terrible accusations against Hola which we feel are unjustified," said Vilenski in a blogpost on 1 June, before acknowledging: "We made some mistakes, and now we're going to fix them fast.

"Does Hola make you part of a botnet? No! There was some concern that by selling our VPN services to enterprise customers, we were possibly exposing our users to cybercriminal traffic that could get them in trouble (thus the 'botnet' accusation).

"The reality is that we have a record of the real identification and traffic of the [premium] users, such that if a crime is committed, we can report this to the authorities, and thus the criminal is immediately identified."

The security researchers that released the original report, using the collective name Adios, have since said that Vilenski's claims that two of the vulnerabilities were fixed "within a few hours of them being published" are not true.

"Many of the issues are ignored, and some claims are simply false," Adios said in a statement. "The vulnerabilities are still there, they just broke our vulnerability checker and exploit demonstration. Not only that; there weren't two vulnerabilities, there were six.

"The security issues with Hola are of such a magnitude that it cannot be attributed to 'oversight'; rather, it's straight out negligence. We await a more transparent follow-up statement, and a real fix to the security issues."

As part of Vilenski's blogpost, it was announced that Hola's security team would be appointing a chief security officer in the near future, as well as offering a bug bounty for anyone finding additional vulnerabilities in its products.