ExpressVPN aces three independent security audits

ExpressVPN on PC and Windows 10 devices
(Image credit: ExpressVPN)

Not only has it been confirmed as the #1 best VPN on the market by our last round of testing, ExpressVPN also aced all the latest independent audits on its security infrastructure. 

Two different cybersecurity firms, Cure53 and F-Secure respectively, were called to check all its desktop applications for any vulnerabilities. Specifically, Cure53 performed penetration tests and source code audits of its macOS and Linux apps. F-Secure carried on similar checks on the most recent version (v12) of its Windows client.  

Despite finding some minor bugs, all the reports conclude that ExpressVPN is a safe choice to secure your most sensitive data against any cybersecurity threats. 

What's more, these impressive results come just a few weeks after both its privacy policy and server technology got the OK from independent auditors

'No major issues and strong impressions gained'

"As a result of the absence of major issues and strong impressions gained during the audit, Cure53 can only confirm that the ExpressVPN team instills due diligence in its efforts against the many and varying threats that modern VPN applications tend to face," concluded the auditing firm, praising the access and collaboration grant from the provider during the process. 

As mentioned before, Cure53 performed white-box testing on ExpressVPN's macOS and Linux apps between June and July 2022. These were aimed to check if users' privacy is secured at all times. 

In both cases, auditors could find only a handful of minor vulnerabilities with very little risk for users' data. 

Specifically, the macOS app review revealed only two minor security risks and four possible improvements. Check the full report results here.   

Likewise, the audit of its Linux apps uncovered two security vulnerabilities and three general weaknesses with lower exploitation potential. 

"It needs to be stated clearly that this list of issues is very short, pointing to the overall good outcome of this testing round," wrote Cure53.

At the same time, ExpressVPN developers claimed that these bugs have since then been reviewed.

After asking F-Secure to check the previous app's version, the secure VPN provider decided to call the firm for another review on its latest Windows v12 in March. 

Here, a mix of white-box and grey-box tests couldn't identify any security weaknesses. Only a non-exploitable informational issue was found, but it has already been fixed and retested as solved a month later. Check the final report for more details.

"These audits are a testament to the efforts we put into improving and securing our product, and we’re glad to receive the validation from Cure53 and F-Secure," said ExpressVPN penetration testing manager Brian Schirmacher. 

"We’re committed to delivering audits on our mobile apps soon, and will continue to ensure privacy and security at every touchpoint of our product."

Chiara Castro
Senior Staff Writer

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com