At ExpressVPN, we believe in earning user trust through transparency rather than just asking customers to take our word for it. This is why we regularly publish audits by trusted third parties, providing independent verification of the privacy and security commitments we make to users.
We’re pleased to announce that our current app for Windows has been reviewed by a third-party cybersecurity firm, F-Secure, via a penetration test to confirm the app’s privacy protections and strong security posture. The purpose of the assessment was to attempt to identify any potential security weaknesses within the app, specifically vulnerabilities relating to information disclosure or IP address leakage, as well as the ability of an attacker to execute code remotely. The assessment was conducted from November 2021 to December 2021.
We’re proud to say that F-Secure issued an exceedingly positive report, with none of the targeted vulnerabilities found. “It was not possible to gain information about ExpressVPN’s clients or out of the network traffic,” the report reads. “Nor was it possible to execute code remotely through attacks such as, but not limited to, Man-in-the-Middle (MitM), TLS downgrading, packet injection.”
Of the security issues flagged, one was of low severity and all others were informational. No critical, high, or medium issues were found. We have since remedied issues raised in the report, as also confirmed by F-Secure during a re-test in February 2022.
How audits strengthen security claims
As a privacy-focused company, ExpressVPN works hard to ensure that our software and systems provide an extremely high level of privacy protections to our users. In order for us to be confident of our security claims, we test our software internally but also regularly engage independent cybersecurity experts to assess our products and validate the accuracy of our claims.
These third-party audit reports don’t just inform us; they also give users insight into the accuracy of our security claims and help them make an informed decision when choosing a VPN.
Find out more about our past audits and security assessments:
- An assurance engagement by PwC Switzerland on our build verification process
- A security assessment of our browser extension by Cure53
- A security audit by Cure53 of our VPN protocol Lightway
These assurance engagements and security assessments complement our other trust and transparency efforts, including providing open-source leak testing tools, publicly detailing our security practices, and launching the VPN Trust Initiative, which aims to promote public awareness about internet safety.
At ExpressVPN, we’re committed to doing our part to keep pushing the industry forward to better protect online privacy and security, through both technology and transparency. We look forward to publishing more audits and insights that enable you to hold us to that commitment.
Protect your online privacy and security
30-day money-back guarantee