Here at VPNCompare, we have always emphasised the value of independent audits to support VPN providers' statements on the security and privacy of their services.
Since it has been leading this process for quite some time, ExpressVPN, our Editor's Pick for the best overall VPN provider, today released the findings of two more independent audits of its service.
With eight public audits of ExpressVPN's rules and infrastructure overall, they are both the best and most audited VPN provider in the world (as far as we are aware).
The first audit made public today examined ExpressVPN's no logs policy and was conducted by international consulting firm KPMG.
As part of their audit, they examined ExpressVPN's controls structure and spoke with team members to make sure that their procedures, systems, and controls around the ExpressVPN servers complied with the organization's privacy policy.
They specifically looked for any proof that ExpressVPN, in contrast to their much-lauded assertions, actually collected activity logs or connection logs. KPMG also examined the veracity of ExpressVPN's assertions regarding the new TrustedServer technology.
The audit followed the widely used International Standard on Assurance Engagements (ISAE) (UK) 3000 Type 1 procedures. You can read it in its entirety here if you're okay with KPMG's terms and conditions.
In other words, it gave ExpressVPN the all clear and attested to the truthfulness of its no user logs pledge.
Separately, ExpressVPN has also hired independent cybersecurity company Cure53 to examine the TrustedServer technology's source code. Additionally, they performed a white-box security evaluation of TrustedServer.
Although a few small issues were found, this is typical of audits of this kind and is one of the reasons organisations like ExpressVPN want to carry them out.
It noted that "none of the four actually revealed vulnerabilities was ranked with a High or Critical severity level, displaying an already rather resilient environment exposed by the ExpressVPN TrustedServer components," adding that what it had discovered was "simple to rectify and resolve."
This is a really high compliment and demonstrates once more how secure ExpressVPN's TrustedServer technology is.
You can read the audit's specifics here if you'd want to.
Additionally, ExpressVPN made a point of emphasising that the $100,000 bug reward it offered for TrustedServer is still open to any ethical hacker who wants to test the technology and see if they can uncover a critical flaw that Cure53 and the best that ExpressVPN has to offer have overlooked.
ExpressVPN truly stands head and miles above the rest of the VPN market when it comes to carrying out independent audits, as we highlighted at the beginning of this post.
Additional six independent audits of ExpressVPN's technology and practises have been conducted in addition to the two audits that were made public today. As follows:
a PwC Switzerland audit of their internal technology TrustedServer and compliance with their privacy policies
a review of their build verification process by PwC Switzerland
Cure53's security review of its browser addon
An examination of Cure53's VPN protocol's security Lightway
F-security Secure's evaluations of its Windows v10 and v12 programmes
Cure53's examination of their Aircove router's security
It's clear from this impressive list of successful independent audits that ExpressVPN is now the most reputable, secure, and private premium VPN on the market.
In announcing these two most recent audits, ExpressVPN's Head of CyberSecurity, Aaron Engel, stated, "We are delighted that our systems and core server technology were inspected by KPMG and Cure53."
In addition to other security initiatives like our bug bounty programme, regular third-party audits that verify our controls and the output of our internal team's work provide us even more assurance that we are adequately safeguarding our users, the developer added.
We take great pride in setting the standard for trust and transparency in our sector, and we eagerly anticipate issuing many more audits this year.
We are thrilled to see ExpressVPN making such a significant commitment to audits and are eager to read their upcoming batch as they become available.
In the months and years to come, we anticipate that more VPN providers will take ExpressVPN's example and implement similar solutions.
Such audits will currently only serve to further solidify ExpressVPN's position at the top of our Editor's Picks list of the best VPNs available today.
