Over six years ago, TunnelBear became the first ever consumer VPN to publish a third-party security audit to the public. At the time, we were hoping to influence the entire VPN industry by setting a new standard for transparency and open communication. This is something that we are happy to have seen become a new benchmark for which VPN providers worldwide are now measured against.
That said, there is still lots of work remaining. We’re planning on introducing even more new features to the TunnelBear app, we have a much larger focus on supporting anti-censorship technologies than ever before, and we’ve been conducting our own internal security audits and improvements which we hope to share more about soon.
In 2016, the TunnelBear team made a commitment to continue conducting public security audits every year, and we are happy to finally share the results from 2022.
Conducting the audit
To begin, we owe a massive thank you to Cure53, the independent cybersecurity firm that has been conducting our audits since 2016. An extensive effort was also put forth by our own Pixel Bear and PhytoBear, who helped prepare secure testing environments, access to code, and support during the auditing process. Without these individuals, our 2022 security audit would not be possible
The scope was well-prepared and transparent... The TunnelBear team delivered excellent test preparation and assisted the Cure53 team...
Cure53’s security audit officially began in October 2022 - lasting a total of 42 days and comprising of eight security researchers from their team. Cure53 went through each of the TunnelBear applications, our entire VPN infrastructure and backend, our frontend and public sites, the TunnelBear AWS infrastructure, and various technologies we employ on our network.
Reviewing the results
Upon completion of their audit, Cure53 flagged a total 32 issues. While 17 of the detected issues were considered to be of minor risk and severity, that still left 15 security vulnerabilities to be addressed by the TunnelBear team. As of today, 27 of the reported vulnerabilities have been resolved, leaving only five remaining issues.
One of the highlights from the audit was our frontend performance. While Cure53 did provide hardening recommendations, the TunnelBear applications (specifically our mobile apps) and website were commended for their security and protective measures.
However, it’s important to note where we need to improve, and Cure53 highlighted some critical areas in which we can do so.
Cure53 strongly recommends that the TunnelBear team invests ample time and resources into further developing its security design concepts...
Even though more than half were of minor severity, 32 found issues is still a lot. This showcases a greater need for more care and attention as we expand our infrastructure and introduce new capabilities. Additionally, many of the more critical issues found revolved around network hardening - a need to reduce the surface area in which attackers could target our VPN infrastructure.
So what’s next for TunnelBear?
We intend to continue conducting these audits and we have already scheduled our 7th audit from Cure53 later this year.
It’s important to understand that the responsibility to maintain a secure VPN infrastructure doesn’t simply start and stop with third-party audits. Alongside Cure53’s efforts to help improve our service, we’ve been running our own internal security and privacy audits as well. We intend to share our findings and improvements once complete.
As always, we want to thank Cure53 for their detailed reporting, and the members of our team that helped resolve the vulnerabilities found in 2022.
See you next time, and stay safe.