X

ExpressVPN Clears 2 New Privacy and Cybersecurity Audits

The virtual private network gets picked apart by Cure53 and KPMG -- but comes away with high marks.

Rae Hodge Former senior editor
Rae Hodge was a senior editor at CNET. She led CNET's coverage of privacy and cybersecurity tools from July 2019 to January 2023. As a data-driven investigative journalist on the software and services team, she reviewed VPNs, password managers, antivirus software, anti-surveillance methods and ethics in tech. Prior to joining CNET in 2019, Rae spent nearly a decade covering politics and protests for the AP, NPR, the BBC and other local and international outlets.
See full bio
Rae Hodge
2 min read
ExpressVPN logo on a laptop screen
Sarah Tew/CNET

Industry-leading virtual private network provider ExpressVPN cleared two third-party audits last week, earning high marks from both independent firms for its privacy policy and its server security. In its source code audit and white-box penetration testing, cybersecurity firm Cure53 reported only low- or medium-rated threats and no threats with high or critical severity ratings. Auditing firm KPMG separately evaluated ExpressVPN's no-logs privacy policy and reported confidence in the VPN's implementation of it. Both audits are publicly available.

"We are pleased that our systems and core server technologies were examined by KPMG and Cure53. Regular third-party audits that validate our controls and the results of our internal team's work, along with other security efforts like our bug bounty program, give us even more confidence that we are protecting our users well," said ExpressVPN cybersecurity head Aaron Engel in an October blog post. 

Engel also said ExpressVPN would be publishing even more audits this year. 

Read moreExpressVPN Review 2022: Top Speeds and Competitive Transparency Efforts

KPMG's audit looked at whether ExpressVPN's privacy policy matched the capacity and actual use of its TrustedServer technology. Evaluating the VPN's controls framework, its TrustedServer operating system configurations, and its employee compliance with the TrustedServer processes, KPMG reported confidence that ExpressVPN's no-logging policy is being upheld in its use of TrustedServer. 

Cure53's audit covered not only the TrustedServer tech, but the VPN's Lightway protocol. The firm also tested for potential IP address data leaks, and any weaknesses that would allow for remote code execution. As is commonly found in the firm's reports regardless of client, some low- and medium-severity threats were present. Cure53 found 29 security-relevant discoveries, only four of which were actual vulnerabilities. 

"From one perspective, the number of findings is quite large and could be seen as worrisome at first glance. However, it needs to be clearly underlined that the ratio of vulnerabilities to hardening-driven items is very good," Cure53 said in its report. 

"In other word, mostly general weaknesses and minor flaws were spotted. Further, most of them can be evaluated as trivial to fix and resolve. It can be positively acknowledged as well that none of the four actually identified vulnerabilities was ranked with a High or Critical severity score, showcasing an already quite robust environment exposed by the ExpressVPN TrustedServer components."

Since 2019, ExpressVPN has increased the number and frequency of its independent third-party audits. The two October audits follow a suite of those from other firms, including PriceWaterhouseCoopers, which have similarly reported high-confidence findings in the VPN's privacy policy compliance and TrustedServer build process

Read more: ExpressVPN Is a Case Study in Why VPN Reviews Require More Legwork