Recently NordVPN announced it had completed a third audit of its no-logs policy. It showed, for the third time, that the company does what it says in its privacy policy and does not record information about how its customers use its service.
Now, it has revealed more audit results, this time for the security of its apps, website, servers and infrastructure.
Berlin-based Cure53 ran tests from July to October 2022 and NordVPN has made the two reports publicly available to anyone who wants to read them. You can find the app audit here and the server audit here.
And if you do read them, you’ll see that Cure53 did find some problems, although only one potentially dangerous one in the macOS app. But this and all other issues highlighted in the reports have been fixed and those fixes subsequently checked and approved by Cure53.
This may all sound rather dull and boring, but it’s important. It demonstrates that NordVPN is happy to be transparent about its service, something you won’t find from every VPN service. Plus, audits aren’t simply carried out to prove that there are no security holes. They help to identify vulnerabilities and put them right, as was the case here.
“Dedication to product development and a happy customer always pay off. We continuously improve the overall performance of our service and develop advanced VPN features, giving our users increased online security. Our developers fixed all detected vulnerabilities, and they were approved by Cure53, ensuring that NordVPN implemented all mitigations correctly,” says Marijus Briedis, CTO at NordVPN.
In the audit of NordVPN’s apps, Cure53 noted that it had identified “a total of twenty-two [issues]. Six of the findings were categorized as security vulnerabilities, whilst the remaining sixteen were deemed general weaknesses with lower exploitation potential.”
“Conversely, the scope covering the Android applications garnered a considerably positive impression, largely owing to the fact that only minor findings of informational severity were identified here.”
As for the server and infrastructure audit, Cure53 said, “Generally speaking, the overall yield of findings documented in this report is relatively moderate, which represents a positive indication of the perceived security state of the NordVPN servers and infrastructure. This impression is also corroborated by the fact that out of the eleven findings, only a single one was deemed a security vulnerability, whereas all other findings were considered miscellaneous in nature and should be trivially easy to address and mitigate.”
Audits are important because VPN services rely on trust. As a customer, you need to trust that your data is kept safe and secure and that your activity isn’t being recorded.
There are many VPN services you could choose, but you’re much more likely to pick one that has been audited.
NordVPN isn’t the only service to commission audits. ExpressVPN has carried out a similar selection in the past year, while Surfshark recently confirmed results of its first no-logs audit.
Private Internet Access, CyberGhost, Proton and PureVPN also had no-logs audits in 2022, which is great to see and means there’s a bigger choice if you would only consider using an audited VPN.
Of course, the ideal situation is where these audits are happening on a regular basis, and especially if the VPN service changes ownership.