At ExpressVPN, we’re driven by a commitment to develop best-in-class, security-first products that set new industry standards. That is why since the launch of Lightway, our open-source VPN protocol built from the ground up, we have regularly commissioned penetration tests and source-code audits to validate its security.
As we unveil the latest iteration of Lightway, now completely reimplemented in Rust and subsequently open-sourced, we’re happy to announce that it is backed by not one, but two comprehensive security audits from independent cybersecurity experts Cure53 and Praetorian. This rigorous dual-audit approach, unique in the industry, reflects our uncompromising standards for security validation.
Dual audits for greater trust and transparency
Today, we are happy to share the results of the latest independent audits for Lightway. The assessments by Praetorian and Cure53, which took place in September and October 2024 respectively, examined Lightway’s new source code implementation and WolfSSL-RS sources.
We’re proud to share that the security audits delivered consistent, positive results—a strong validation of Lightway’s Rust implementation. Across both reports, only a small number of issues were identified, none of which were critical. The report from Praetorian identified just two low-risk issues, while Cure53 noted five items—four of which were classified as miscellaneous findings with low exploitation potential. The issues have since been addressed and validated again by both experts in a retest conducted in December 2024.
The report from Cure53 further stated that the “very limited number of findings, especially with only one exploitable vulnerability, can be interpreted as a positive sign for the security of the ExpressVPN Lightway protocol.”
“Ultimately, it can be argued that the ExpressVPN Lightway protocol and its implementation in Rust are already in a good state of security,” Cure53 summarized in its report.
Similarly, Praetorian’s report commended the effective controls of Lightway’s technology, specifically highlighting the “secure usage of Rust unsafe blocks,” which allows us to maintain flexibility in our code to perform essential low-level network operations that aren’t possible with Rust’s standard memory safety features.
The report further highlighted the strong cryptographic primitives in Lightway that are built on WolfSSL, which effectively protects encrypted traffic against various attacks including replay, injection, tampering, and cache-timing—ensuring the highest security standards when connecting with Lightway.
“ExpressVPN has always led the industry in third-party evaluation and verification of our software, technology, and policies,” says Aaron Engel, Chief Information Security Officer at ExpressVPN. “Having Lightway evaluated by two independent third-party auditors is our way of showing our commitment to transparency while demonstrating our confidence in the technology we have developed.”
Industry-leading VPN protocol
A VPN protocol plays a crucial role as the foundation for every VPN service. By reimplementing Lightway in Rust, our goal is to improve the overall VPN experience with better security and better performance.
By subjecting our Rust implementation to this level of scrutiny, we’re not only ensuring the highest security standards for our users but also contributing to the broader VPN industry’s evolution by providing a thoroughly vetted, open-source protocol that others can adopt.
Read the full reports from Cure53 and Praetorian.
Take back control of your privacy
30-day money-back guarantee
We take your privacy seriously. Try ExpressVPN risk-free.
What is a VPN?
