ExpressVPN Clears 2 New Privacy and Cybersecurity Audits


    


    Sarah Tew/CNET
    


    Industry-leading virtual private network provider ExpressVPN cleared two third-party audits last week, earning high marks from both independent firms for its privacy policy and its server security. In its source code audit and white-box penetration testing, cybersecurity firm Cure53 reported only low- or medium-rated threats and no threats with high or critical severity ratings. Auditing firm KPGM?separately evaluated ExpressVPN’s no-logs privacy policy and reported confidence in the VPN’s implementation of it. Both audits are publicly available.
    “We are pleased that our systems and core server technologies were examined by KPMG and Cure53. Regular third-party audits that validate our controls and the results of our internal team’s work, along with other security efforts like our bug bounty program, give us even more confidence that we are protecting our users well,” said ExpressVPN cybersecurity head Aaron Engel in an October blog post.?
    Engel also said ExpressVPN would be publishing even more audits this year.?
    Read more:?ExpressVPN Review 2022: Top Speeds and Competitive Transparency Efforts
    KPGM’s audit looked at whether ExpressVPN’s privacy policy matched the capacity and actual use of its TrustedServer technology. Evaluating the VPN’s controls framework, its TrustedServer operating system configurations, and its employee compliance with the TrustedServer processes, KPGM reported confidence that ExpressVPN’s no-logging policy is being upheld in its use of TrustedServer.?
    Cure53’s audit covered not only the TrustedServer tech, but the VPN’s Lightway protocol. The firm also tested for potential IP address data leaks, and any weaknesses that would allow for remote code execution. As is commonly found in the firm’s reports regardless of client, some low- and medium-severity threats were present. Cure53 found 29 security-relevant discoveries, only four of which were actual vulnerabilities.?
    “From one perspective, the number of findings is quite large and could be seen as worrisome at first glance. However, it needs to be clearly underlined that the ratio of vulnerabilities to hardening-driven items is very good,” Cure53 said in its report.?
    “In other word, mostly general weaknesses and minor flaws were spotted. Further, most of them can be evaluated as trivial to fix and resolve. It can be positively acknowledged as well that none of the four actually identified vulnerabilities was ranked with a High or Critical severity score, showcasing an already quite robust environment exposed by the ExpressVPN TrustedServer components.”
    Since 2019, ExpressVPN has increased the number and frequency of its independent third-party audits. The two October audits follow a suite of those from other firms, including PriceWaterhouseCoopers, which have similarly reported high-confidence findings in the VPN’s privacy policy compliance and TrustedServer build process.?
    Read more: ExpressVPN Is a Case Study in Why VPN Reviews Require More Legwork