Our customers belief us to guard their digital lives every day. One of many methods we earn that belief is thru commonly partaking unbiased cybersecurity specialists to evaluate our merchandise and validate the accuracy of our safety claims.
As we speak we’re excited to share three new audits, masking all of ExpressVPN’s desktop apps. We commissioned Cure53 to carry out penetration checks and supply code audits of our macOS and Linux desktop shoppers. F-Safe was additionally commissioned to assessment our Home windows v12 app via penetration testing and supply code auditing, simply months after its audit of our earlier Home windows app (v10).
We’re delighted with the end result of the audits, in addition to our long-standing collaboration with each cybersecurity corporations. As we speak, we’re glad to share extra findings and insights from the audits with you.
“As a part of our steady belief and transparency efforts, we’re proud to announce that every one of our desktop apps have now been audited,” mentioned Brian Schirmacher, penetration testing supervisor at ExpressVPN. “These audits are a testomony to the efforts we put into enhancing and securing our product, and we’re glad to obtain the validation from Cure53 and F-Safe. We’re dedicated to delivering audits on our cellular apps quickly, and can proceed to make sure privateness and safety at each touchpoint of our product.”
Cure53 validates the safety of our macOS and Linux apps
Cure53 examined each our macOS and Linux desktop apps via white-box penetration checks and supply code audits from June to August 2022. These assessments are instrumental in figuring out whether or not our apps are safe sufficient to face up to safety assaults from malicious adversaries, offering validation of the intensive work carried out by our engineering and safety specialists.
They discovered a low quantity of points in our macOS app, uncovering solely two safety vulnerabilities and 4 informational weaknesses with low exploitation potential. We shortly addressed all related findings, with Cure53 reviewing the fixes to make sure no further weaknesses have been launched.
“In conclusion, this evaluation of the newest ExpressVPN software for macOS iteration leaves an exceptionally stable impression with regard to safety,” writes Cure53 of their report. “All in all, the ExpressVPN group deserves excessive reward for its efforts to offer an exceptionally safe macOS shopper. Only some minor hardening enhancements are required to raise the platform’s safety posture to an exemplary degree.”
Equally, the audit of our Linux app returned a brief record of safety points. Out of the 5 discoveries, there have been two safety vulnerabilities and three basic weaknesses with decrease exploitation potential, all of which have since been reviewed by our inside group. “Absence of findings past a Medium rank is yet one more robust constructive indicator of the situation of the safety premise on the ExpressVPN Linux targets,” notes Cure53.
ExpressVPN’s Home windows v12 app is safer than ever
F-Safe performed a safety audit on our newest Home windows app (v12) from February 2022 to March 2022. The audit assessed two necessary options of the app:
- That the app can’t be manipulated to leak data (similar to a person’s IP handle) outdoors the VPN tunnel
- That the app just isn’t vulnerable to distant code execution assaults
We’re happy to share that F-Safe didn’t discover any vital weaknesses. F-Safe’s unbiased auditors discovered just one informational situation in our Home windows v12 app, which was not exploitable. The problem has already been mounted, which F-Safe confirmed in a retest in April 2022.
No crucial, excessive, medium, or minor points have been discovered. And, as of their earlier report, F-Safe gave us a superb assessment, concluding: “It was not attainable to realize details about ExpressVPN’s shoppers or out of the community site visitors. Nor was it attainable to execute code remotely via assaults similar to Man-in-the-Center (MitM), TLS downgrading, or packet injection.”
Home windows v12 brings vital enhancements to the app’s safety and integration with the working system. It additionally comes with a redesigned backend optimized for Lightway, our proprietary protocol that we constructed for a sooner, extra dependable, safer VPN expertise. These modifications pave the best way for thrilling new options for our Home windows customers, like Parallel Connections and Menace Supervisor. Given these under-the-hood upgrades, we wished Home windows v12’s safety verified as quickly as attainable. Obtain ExpressVPN for Home windows (v12).
Word: v12 is just obtainable for customers of Home windows 10 and above
Our dedication to third-party privateness and safety verifications
These three new audits of our desktop apps carry the full variety of ExpressVPN’s printed audits to 11, making certain that we’re offering probably the most safe on-line expertise attainable to our customers. Listed below are our earlier exterior audits and safety assessments:
- An audit by KPMG of our no-logs coverage (October 2022)
- A safety audit by Cure53 of TrustedServer, our in-house VPN server expertise (October 2022)
- A safety audit by Cure53 of our Aircove router (September 2022)
- A safety audit by F-Safe of our Home windows v10 app (March 2022)
- A safety audit by Cure53 of our VPN protocol Lightway (August 2021)
- An audit by PwC Switzerland on our construct verification course of (June 2020)
- An audit by PwC Switzerland of our privateness coverage compliance and our in-house expertise TrustedServer (June 2019)
- A safety audit by Cure53 of our browser extension (November 2018)
We’ll proceed to uphold our dedication to conduct extra third-party audits and at a higher frequency. It’s one side of the various methods we make sure that our customers take pleasure in probably the most safe VPN expertise.