Papers, please: the rise of the independent VPN audit

Jan Youngren
Jan Youngren | Chief Editor
Last updated: May 10, 2022
Independent VPN audit
Disclaimer: Affiliate links help us produce good content. Learn more.

The trend of VPN audits started back in 2017. Providers who’ve been making big claims about the security and privacy of their services suddenly decided to back it up. Why did it happen and is still happening today?

First, the industry was rapidly expanding. More and more companies were entering the business with new products looking to get a part of the share. And since credibility is the biggest asset of any VPN, verifying your claims meant standing out from the crowd of the “most private and secure” services.

But what a VPN audit is, anyway? And which VPNs were audited independently? Read on to find out.

What is a VPN audit?

Independent audits of various parts of their VPN services aim to prove to the world that the providers can actually back up their claims with a working product that delivers privacy and security.

There are two different types of audits that can be performed:

  • Security audit. The VPN service gives its app’s source code to an independent auditor, who investigates the code and tries to simulate attacks to identify vulnerabilities. Example: Surfshark’s browser extension audit by Cure53.
  • No-logging audit. This more difficult audit requires a lot more access since the auditor will check what information is stored on the VPN’s servers. Example: NordVPN’s no-logs audit by PwC.

Both types of audits are important. However, we’d still place more importance on the no-logging audit since it ensures that their data privacy claims are true.

So let’s take a quick look at the best VPNs with independently-audited no-logs policies.

Best VPNs with independent audit: shortlist

  1. NordVPN – best independently-audited VPN
  2. Surfshark – great VPN with two security audits
  3. IPVanish – no-logs policy audited independently
  4. Proton VPN – security and no-logging audits
  5. PureVPN – no-logging approved by Altius IT

VPN audit history

Below are the key events from the VPN audit history. It includes both security and no-logs audits by third parties, dating back to 2017.

August 7, 2017: TunnelBear completes industry-first VPN security audit

Type of audit: security audit

At the end of 2016, TunnelBear hired the independent German web security testers, Cure53, to perform a complete security audit of their servers, apps, and infrastructure. It was originally planned to be used internally only, but TunnelBear felt the industry needed a boost of confidence after multiple security crises.

The blog post is dated August 2017, although that is the date of the second security audit. The first had been completed in 2016 and found multiple vulnerabilities in their Chrome extension, which TunnelBear worked to fix before the audit of 2017. Therefore, these two iterations should be seen as two sections of one larger audit.

They’ve now released their VPN security audit for 2018. In this one, Cure53 discovered 2 “critical,” 5 “high,” 3 “medium,” 7 “low,” and a few “informational” issues across TunnelBear’s service.

These issues have been “promptly fixed” by TunnelBear. In general, the 2018 audit [pdf] states that the audit had:

“revealed great progress that the TunnelBear has made over the recent years. This is clearly enabled by the incessant efforts of the in-house team, which manages to introduce subsequent improvements to the overall integrity and security…”

Overall, that’s a great start to the new movement.

September 24, 2018: Mullvad gets a security audit for its app

Type of audit: security audit

In September 2018, the relatively lesser-known Swedish VPN service Mullvad published the results of its security audit. Once again, Cure53 was used to check the code and look for vulnerabilities.

The Cure53 Mullvad report [pdf] showed that there were 7 issues found, one rated “critical” and another rated “high.”  The auditors went on to claim that the issues were:

“an exceptionally small number given the complex field of the VPN software and the connected, vast attack surface.”

However, one important aspect was noted by Cure53: the security audit wasn’t comprehensive, as only the front-end had been checked:

“It needs to be noted, however, that in this instance only applications and supporting features were checked, meaning that no verdict can be made on the security posture of the server-side and backend.”

While there are some problems with this incomplete security audit, including that it doesn’t check how user data is collected and processed, it was nonetheless has some significance as the second independent audit.

November 20, 2018: Surfshark gets a VPN browser extension audit

Type of audit: security audit

In their blog post less than two weeks ago, Surfshark let the world know that its VPN browser extension had been audited by Cure53. That audit (available here [pdf]) consisted of both a penetration test and a code audit of Surshark’s Chrome and Firefox browser extensions.

Cure53 claimed that the tests showed Surfshark’s Chrome and Firefox extensions provided:

“a very robust impression and are not exposed to any issues, neither in  the privacy nor in the more general security realms.”

This is great news for Surfshark, as its claims of privacy seem to have been met – for its browser extensions. This audit, however, did not look at its VPN clients for desktop or mobile, so that’s something to remember.

November 22, 2018: NordVPN gets a no-log policy audit

Type of audit: no-logging policy audit

That’s when the big boys, NordVPN, stepped in, and a week later released initial findings from the PwC audit of their no-log policy. We gave our own in-depth analysis of their independent audit here, but suffice it to say that we still believe it’s a big deal, especially considering the high reputation of the auditing firm PwC.

In an attempt to settle people’s fears about what kind of data VPN providers are actually logging, especially giants like NordVPN, they went ahead and hired a giant in its own right, at least in the auditing world: PwC. This audit actually took place in August.

NordVPN simply wanted to prove to the world that they’re trustworthy, and the PwC audit seems to show that. In a leaked version of the report, PwC stated:

“a) the accompanying description fairly presents Tefincom S.A.’s no-log NordVPN service, and

b) the NordVPN service is suitably designed and implemented as of 1 November 2018.”

They just happened to publish their blog post about the results after Surfshark.

November 29, 2018: VyprVPN’s audit

Type of audit: no-logging policy audit

And then we get to VyprVPN’s recent blog post about their no-logging policy audit.

Rather than simply saying, “We also got an independent audit,” in what seems like a purely marketing stunt, they’re also claiming that they are “the world’s first publicly audited No Log VPN Provider.” This seemed odd seeing that it came out after NordVPN’s no-log policy audit blog post.

But VyprVPN representative Jim Crooks says the timing of the release was purely coincidental:

Please understand that in order to effectively complete an audit of this magnitude, it takes significant time. We have been actively working both internally to ensure our services are No Log, followed by an active relationship with our auditors Leviathan Security to test and address any issues raised throughout our shift to No Log. Although we understand our timing might be a tad odd considering the release of NordVPN’s announcement, please understand this was purely coincidental.”

This seems like a reasonable enough reason, and more or less explains the idea behind the title of the article.

Nonetheless, the Leviathian Security audit [pdf] concluded that:

“Connections are logged during authentication, but logs that could identify users are kept only for a short time. By using open source or widely-used applications for server and client components, they have reduced the risk of unintentionally adding a weakness into the software themselves.”

Juy 9, 2019: ExpressVPN servers get a PwC audit

Type of audit: privacy and security audit

Almost 8 months after NordVPN released their PwC no-logging policy audit results, ExpressVPN came out with their own PwC audit. This time, however, it’s a full privacy and security audit.

What this means essentially is that ExpressVPN gave auditors full access to their team and system information. ExpressVPN writes in their blog post:

Over the course of a month, PwC interviewed staff responsible for managing our VPN servers; inspected source code, configurations, and technical log files; and observed our server configuration and deployment processes.

The PwC report seems to confirm what we’ve already known: ExpressVPN is a safe, private and secure VPN. That is great news – and something we hope will set fire to the greater VPN industry.

August 27, 2019: PureVPN gets audited by Altius IT

Type of audit: no-logging policy audit

If there’s one VPN provider that needed a no-logging policy audit, it would be PureVPN. If you remember, they were the ones caught providing the FBI with records instrumental in arresting and convicting 24-year-old Ryan Lin. These records, or logs, by the way, were not supposed to exist, as PureVPN had previously claimed to not keep any logs.

Since then, they’ve updated their Privacy Policy to tighten up their no-logs policy. But with their reputation already tainted, they really needed stronger assurances. Luckily, they contracted California-based security auditors Altius IT to verify their no-logs claims.

And the results? Here’s what Altius had to say:

“[we] did not find any evidence of system configurations and/or system/service log files that independently, or collectively, could lead to identifying a specific person and/or the person’s activity when using the PureVPN service.”

That’s pretty great news, and it’s definitely a step in the right direction, although we’d like to see the report for ourselves. To celebrate, PureVPN is even giving users a 30% off discount on all their plans with the code NOLOGSVPN.

Not audited VPNs

In order for a trend or movement to work, it needs to continue steadily and grow rapidly. And although the movement is just starting, we’re still waiting on some of the other VPN giants to at least declare their own independent audits. These include:

  • TorGuard
  • Ivacy
  • CyberGhost
  • PrivateVPN
  • Private Internet Access
  • HideMyAss
  • and pretty much every other VPN

If they care about privacy, if they care about security, if they want to prove to the world that they can be trusted, we need receipts. We need audits, or at least to let us know when the audits will be happening. We need them to publicly declare that they are safe, that we can trust them, and that the VPNs are absolutely not logging, selling, or leaking our data for whatever reason.

Only then can we make sure that we’re safely exploring the internet, with full privacy, security, and control.

Top audited VPNs
9.6 / 10
Excellent security
Flawless privacy practices
Fastest speeds
Surfshark VPN
9.4 / 10
Strong encryption
Excellent performance
Unlimited simultaneous connections

Disclaimer: Affiliate links help us produce good content. Learn more.
Leave a Reply

Your email address will not be published.

  1. Dan

    Hide.Me was one of the first VPN providers to be independently audited by an auditor – Leon Juranic. This happened in 2015 –

  2. King_Larsen

    Extremely Safe and Secure. Of course, no matter how cheap the VPN, you need to know that it’s safe. Tunnelbear uses industry-standard OpenVPN encryption on Windows, Mac, and Android devices.

  3. Bailey Young

    I love this new trend of independent VPN audit; definitely, it will prove to the world that VPN providers can actually back up their claims with a working product that delivers privacy and security

  4. Caíto

    I understand NordVPN never shared their PWC audit paper, which would make VyprVPNs claims of being the first “certified” “no-logs” VPN true. The other audits prior to NordVPN were all on security, not logs.

    1. avatar
      Jan Youngren Author

      Hi there – yes, Nord wasn’t allowed to share their audit report. I’m not really following how that would make Vypr’s claims any more true, however. It still stands that they weren’t the first in the world to have an audit of their no-log policy (seeing as you can also easily find Nord’s). And yes, as we mentioned in the article, the first 3 were only security audits, while Nord’s and Vypr’s are both no-log audits. Nonetheless, it’s a trend we’d love to see continue in the industry. That’s why we’re going strong with our #wheresyouraudit campaign, to make sure others catch on. We’d love if you would join us?

Table of Contents:
Thanks for your opinion!
Your comment will be checked for spam and approved as soon as possible.