ExpressVPN's Lightway Goes Through Yet Another Independent Audit by Cure53
Published on March 8, 2023
It’s been only a couple of weeks since ExpressVPN revealed the results of its privacy protection-related audits. Those two audits were done by KPMG and Cure53, both of which are respectable cyber-sec companies. Also, that round of audits focused on the VPN’s protection of its privacy policy and server technology security, which ExpressVPN aced.
And now, the VPN has unveiled the results of 3 additional audits, focusing on its clients for Windows, macOS, and Linux. That means the entire suite of ExpressVPN’s desktop apps was under the spotlight, with the purpose of validating the accuracy of the VPN’s security claims.
The latest audit of ExpressVPN’s Windows app (v12) was done by F-Secure, just months after F-Secure reviewed ExpressVPN’s v10 Windows app. Without any surprise, the results of the latest audits are highly positive. No vulnerabilities were discovered, and there was only one informational observation regarding the use of insecure C/C++ functions (already fixed).
It's crucial to mention that no vulnerabilities were identified in the ExpressVPN v12 Windows app, so arbitrary code execution and information disclosure or ID address leakage is impossible.
In terms of the audits of ExpressVPN’s macOS and Linux applications, those results are also worthy of praise. Cure53 was hired for those audits, whose team highlighted a total of 6 findings, 2 of which were categorized as security vulnerabilities (already fixed). As per Cure53, “the overall yield of findings is relatively small in comparison to similarly-scoped audits.”
When it comes to ExpressVPN’s Linux application, the results of that audit highlight a total of 5 issues, 3 of which were marked as “Medium.” There were no findings considered overly serious, and most of those were already addressed by ExpressVPN’s team. As Cure53 concluded: “the ExpressVPN Linux client and codebase demonstrated that the components in scope have been developed and deployed with a lot of attention to security best practices.”
“As part of our continuous trust and transparency efforts, we’re proud to announce that all of our desktop apps have now been audited,” said Brian Schirmacher, penetration testing manager at ExpressVPN. Schirmacher also added that we can expect to see ExpressVPN’s mobile apps audited soon, which would put ExpressVPN miles ahead of its competition in terms of transparency and trust.
If you’d like to learn more about the previous audits and other recent development regarding this capable VPN, check out our summary of what’s new in ExpressVPN.