Our review and research guidelines

Product review process

Before anything else, we want our work to be honest and unbiased. To do so, we test everything ourselves following a set of predetermined guidelines. 

Some of the topics we discuss are quite technical, but we aim to make our articles easy enough to understand for regular users. Although the intricacies of the digital aren’t always welcoming for beginners, privacy is a right we all share – thus, everyone should be able to use the necessary tools to achieve it.

VPNpro is owned by Mediatech, a publishing house whose investors are the founders of Nord Security, the company behind NordVPN and Surfshark. As a tech-focused publication, we routinely test, review, and rank those technology products. We strive to offer honest, objective, and professional assessments of products and services, empowering our readers to make informed decisions. 

Why are VPNs important?

Today’s internet is a far cry from the ideals that drove its creation – the notion of a democratic space, where everyone can share ideas and participate in a borderless, global conversation without the fear of repression. Instead, it’s ever-controlling, observing, and sectioned into country-shaped pieces.

At their best, VPN services go a long way towards fixing these issues. At their worst, however, they are part of the problem, and distinguishing the good from the bad can be difficult. The VPN industry is very competitive and full of actors trying to sway the conversation in their favor – a voice readers can trust is more important now than ever.

Research process

We aim to push forward the global understanding of the importance of security and privacy by providing useful, ethical and free of charge research. We share information about VPN vulnerabilities, exploits, unsecured databases and other cybersecurity issues (hereinafter – vulnerabilities) to inform the public and improve quality standards in VPN industry.

At VPNpro, we follow these ethical research guidelines:

  1. If we discover any kind of vulnerability that makes users’ data accessible, we never download or use that data in any way. We gather a few screenshots as a proof of vulnerability and depersonalise the information that’s visible on them.
  2. Our first aim is to help organisations keep their systems and data safe. Therefore the first step we take is informing the organisation of the vulnerability and giving it a “grace period” (not less than 30 and not more than 120 days) to patch it. We provide all necessary information and assistance.
  3. In cases where we have reliable information that the vulnerability is actively exploited by malicious actors or if the organisation patches it quickly, the disclosure term can be shorter. In case an organisation needs more time to patch it, the disclosure term can be longer.
  4. If the organisation is not responding, we also contact a local computer emergency response team (CERT) office to report the vulnerability.
  5. We never ask, nor we will, for financial compensation or ransom of any kind from any organisation that we assist.
  6. As much as our handling of data is concerned – there never is a risk of sharing or making available the confidential or personal data.
  7. We publicly disclose the vulnerability in cases when, a) it has been patched, and, b) all means of communication with the organisation have been exhausted, “grace period” was provided and disclosing the information is in the publics best interest.