ExpressVPN’s security and privacy reconfirmed with two new independent audits

Server room

For a long time now, here at VPNCompare, we have been stressing the importance of independent audits to verify the claims made by VPN providers about their security and privacy protections.

ExpressVPN, our Editor’s Pick for the best overall VPN provider, has been at the forefront of this process for quite some time now, and today, it has announced the results of two further independent audits of its service.

That brings the total number of published audits of ExpressVPN’s policies and infrastructure up to eight, making them (as far as we are aware) the most audited VPN provider in the world, as well as the best.

KPMG gives ExpressVPN’s no logs policy the green light

The first audit revealed today was undertaken by global consultancy firm KPMG and looked at ExpressVPN’s no logs policy.

They looked at ExpressVPN’s controls framework and also interviewed team members as part of their audit to ensure that their processes, systems and controls around the ExpressVPN servers were in compliance with the company’s Privacy Policy.

In particular, they searched for any evidence that ExpressVPN did, in fact, collect activity logs or connection logs contrary to their much-vaunted claims. KPMG also looked at the validity of claims made by ExpressVPN about their new TrustedServer technology.

The audit was carried out under the globally recognised International Standard on Assurance Engagements (ISAE) (UK) 3000 Type 1. If you want to read it in full (if you are happy with KPMG’s terms and conditions), you can do so here.

In short, it gave ExpressVPN a clean bill of health and confirmed that its no user logs guarantee is indeed 100% reliable.

Cure53’s TrustedServer Audit

Separately, ExpressVPN has also commissioned independent cybersecurity firm Cure53 to audit the source code of ExpressVPN’s unique TrustedServer technology. They also conducted a white-box security assessment of TrustedServer too.

While a number of minor flaws were identified, this is the norm with just about every audit of this type, and indeed one of the reasons why companies like ExpressVPN like to conduct them.

Cure53 described what it found as “trivial to fix and resolve” and added that “none of the four actually identified vulnerabilities was ranked with a High or Critical severity score, showcasing an already quite robust environment exposed by the ExpressVPN TrustedServer components.”

This is high praise indeed and once more reconfirms the security of ExpressVPN’s TrustedServer technology.

If you want to read the details of this audit too, you can do so here.

ExpressVPN was also at pains to stress that their $100,000 bug bounty for TrustedServer is still available for any ethical hacker that wants to put the technology through its paces and see if they can find a serious vulnerability that Cure53 and the best that ExpressVPN has to offer have missed.

ExpressVPN leads the way with independent audits

As we noted at the top of this article, ExpressVPN really is head and shoulders above the rest of the VPN market when it comes to conducting independent audits.

On top of these two audits released today, there are also an additional six independent audits of ExpressVPN’s technology and policies that have been undertaken. They are:

  • An audit by PwC Switzerland of their privacy policy compliance and their in-house technology TrustedServer
  • An audit by PwC Switzerland on their build verification process
  • A security audit by Cure53 of their browser extension
  • A security audit by Cure53 of their VPN protocol Lightway
  • Security audits by F-Secure of their apps for Windows v10 and v12
  • A security audit by Cure53 of their Aircove router

That’s some track record of positive independent audits to be able to lean on, and it really goes to show that ExpressVPN is the most verified secure and private premium VPN on the market right now.

As ExpressVPN’s Head of CyberSecurity, Aaron Engel, said in announcing these two latest audits, “We are pleased that our systems and core server technologies were examined by KPMG and Cure53.”

“Regular third-party audits that validate our controls and the results of our internal team’s work, along with other security efforts like our bug bounty program, give us even more confidence that we are protecting our users well,” he continued.

“We are proud to be leading the industry in trust and transparency and look forward to publishing even more audits this year.”

We are thrilled to see ExpressVPN committing to audits in such a big way and look forward to reading their next batch as and when they emerge.

We hope that other VPN providers will be following ExpressVPN’s lead on this front in the months and years ahead.

For now, such audits are only going to help cement ExpressVPN’s place at the top of our Editor’s Picks list of the best VPNs on the market right now.

Author: David Spencer

Cyber-security & Technology Reporter, David, monitors everything going on in the privacy world. Fighting for a less restricted internet as a member of the VPNCompare team for over 7 years.

Away from writing, he enjoys reading and politics. He is currently learning Mandarin too... slowly.

Leave a Reply

Your email address will not be published. Required fields are marked *