If your VPN provider can't prove they're doing everything in their power to protect your privacy, it's probably time to look for a new VPN. For example, we annually hire a group of recognized security experts to tear apart TunnelBear's entire codebase, server infrastructure, website and apps. Now we're releasing the results of those tests for the third year in a row.
Internet security is an ever-evolving concern. Three years of security audits have shown us that today's secure system is tomorrow's bug report. There are a lot of moving parts to keeping a company secure. Whether it’s an improperly configured API or a zero-day that's just been discovered, if you aren't regularly looking for security vulnerabilities, it's only a matter of time before they find you.
2019 in review
2019 was a big year for TunnelBear as we rapidly expanded our infrastructure and released an SDK that powers our partners VPN products. We tightened security, sped up connections and built new servers. We were even awarded "Best VPN" by the Wirecutter, which is no small feat.
We'd like to announce the results of our third annual independent security audit
It was a mammoth undertaking. One that every person on the TunnelBear engineering teams touched at some point. We're proud of the work we've done. However, we’ve learned that reexamining our work makes TunnelBear better, safer and more secure.
With that, we'd like to announce the results of our third annual independent security audit. We hired Cure53 to audit our entire codebase, infrastructure, website and apps so we could have a clear picture of TunnelBear's current security posture. You can find the full report on Cure53's website, but here's a quick breakdown.
We believe in earning customer trust through transparency. It's this philosophy that led us to release the consumer VPN industry's first security audit to the public in 2017. A full audit and report of everything we do, apps, code, infrastructure. All of it. We hoped that other providers would follow our lead and a small trickle have.
In 2018, we had another industry first. We released a second security audit, making TunnelBear the only VPN provider to do back-to-back annual public full scope audits. While there were a few more companies that released audits of their own in 2018, many of them were limited in scope or never released for public review. It feels like more providers are embracing transparency, but there’s a long way to go before audits are an industry standard.
TunnelBear [is] a clear frontrunner among its VPN competitors when it comes to security.
For this year's report, we hired Cure53 for a third time because of our mutually established work methods, and the familiarity Cure53 now has with our technology stack. They spent 37 days poring over every part of TunnelBear, and we're happy to share the results.
What are the 2019 results?
In total, Cure53 found 2 Critical, 4 High, 1 Medium, 2 Low and 3 Informational issues-which were all fixed promptly. Similar to the results of last year's audit, the few issues that were found to be of concern required access to a user's device and heightened permissions. For more information about the findings, please read the full report on Cure53's site. Overall, we were proud to hear Cure53’s positive takeaways from the project:
“The benchmarks are better and better, while ambitious security milestones are being set, despite the TunnelBear’s increasing scale and complexity.”
“TunnelBear [is] a clear frontrunner among its VPN competitors when it comes to security.”
“TunnelBear […] clearly cares about their project’s security posture and privacy of their users.”
“After spending 37 days on the scope in November 2019, 10 members of the Cure53 team can conclude that the security posture of the tested TunnelBear components is sound.”
Welcoming the new year
We’re happy to close out 2019 with a strong security footing. Every audit we release is another year of growth, improvement and hard work to make the consumer VPN industry more trustworthy. We’ve always believed that your privacy is important, and we’re glad that we’re able to help you secure your online life. Audits aren’t just our way of showing you we care, but that we’re committed to finding new and better ways to protect you today, and in the future.
Over the coming year, we’ll continue to improve our infrastructure, speed up connections, improve our anti-censorship technology, and make TunnelBear a better security tool than ever before. As we build new features, we’ll use what we’ve learned from our previous audits to make 2020 our best year yet. We hope you’ll join us along the way.