At ExpressVPN, we believe in earning user trust through transparency rather than just asking customers to take our word for it. This is why we regularly publish audits by trusted third parties, providing independent verification of the privacy and security commitments we make to users.
We’re pleased to announce that our current app for Windows has been reviewed by a third-party cybersecurity firm, F-Secure, via a penetration test to confirm the app’s privacy protections and strong security posture. The purpose of the assessment was to attempt to identify any potential security weaknesses within the app, specifically vulnerabilities relating to information disclosure or IP address leakage, as well as the ability of an attacker to execute code remotely. The assessment was conducted from November 2021 to December 2021.
We’re proud to say that F-Secure issued an exceedingly positive report, with none of the targeted vulnerabilities found. “It was not possible to gain information about ExpressVPN’s clients or out of the network traffic,” the report reads. “Nor was it possible to execute code remotely through attacks such as, but not limited to, Man-in-the-Middle (MitM), TLS downgrading, packet injection.”
Of the security issues flagged, one was of low severity and all others were informational. No critical, high, or medium issues were found. We have since remedied issues raised in the report, as also confirmed by F-Secure during a re-test in February 2022.
“The report from F-Secure showcases the strength of our product and validates the high-quality work that ExpressVPN engineers and security experts have been doing,” says Aaron Engel, Head of Cybersecurity, ExpressVPN. “This is the first of multiple audits to come in 2022, and we are committed to continuing to deliver independent reports on all of our client apps, core technology, privacy policy, and more.”
How audits strengthen security claims
As a privacy-focused company, ExpressVPN works hard to ensure that our software and systems provide an extremely high level of privacy protections to our users. In order for us to be confident of our security claims, we test our software internally but also regularly engage independent cybersecurity experts to assess our products and validate the accuracy of our claims.
These third-party audit reports don’t just inform us; they also give users insight into the accuracy of our security claims and help them make an informed decision when choosing a VPN.
In an effort to further increase trust and transparency with our products, we’ve kickstarted a new phase in which we’re investing in a greater frequency and quantity of audits. Assessing our Windows app is just the start. You can expect more audits from us this year, including on all of our client apps, core technology, and privacy policy.
Find out more about our past audits and security assessments:
- An audit by PwC Switzerland of our privacy policy compliance and our in-house technology TrustedServer
- An assurance engagement by PwC Switzerland on our build verification process
- A security assessment of our browser extension by Cure53
- A security audit by Cure53 of our VPN protocol Lightway
These assurance engagements and security assessments complement our other trust and transparency efforts, including providing open-source leak testing tools, publicly detailing our security practices, and launching the VPN Trust Initiative, which aims to promote public awareness about internet safety.
At ExpressVPN, we’re committed to doing our part to keep pushing the industry forward to better protect online privacy and security, through both technology and transparency. We look forward to publishing more audits and insights that enable you to hold us to that commitment.
Protect your online privacy and security
30-day money-back guarantee
Comments
I hope you do a security code audit too with all our apps.
Yes, we plan to do so for more apps!
Great news!