I like their response.
Our software is free and open source, while we repute at the moment not acceptable to provide external companies with root access to our servers to perform audits which can not anyway guarantee future avoidance of traffic logging or transmission to third parties. On the contrary, we deem very useful anything related to penetration tests. Such tests are frequently performed by independent researchers and bounty hunters and we also have a bounty program.
Or at least, it seems sound to me. Having an audit doesn’t mean that you keep on upholding best practices after the audit. It could even be used as a marketing tool. Having an ongoing bounty hunter program seems ideal. But I don’t know how intensive this would be versus a normal audit either.
I found this page on it: AirVPN
It seems as though only one person was able to redeem a bounty, at the bottom of this page.