In 2016, when we hired Cure53 to conduct a security audit of TunnelBear, we didn't know if we'd still be doing them 7 years later. We simply wanted to try something new by making transparency a core part of how VPN providers would be judged moving forward.

7 years of audits. 2 month's effort. 0 regrets.

You all have shown us that you care about transparency, and we couldn't be happier to continue the annual trend of having TunnelBear audited in its entirety, so that we could share the results with you.

With all of that said, let's dig into the results of 2023's audit!

Conducting the audit

Cure53 was instrumental in conducting our 2023 security audit (as with previous years). A major thank you to the individuals at Cure53 for completing the work we hired them to do, and for their overall responsiveness, professionalism and clear communication when we needed to reach out for clarification on their findings.

2023's audit began in October and comprised of a total of 43 days of work. This included a team of 7 senior auditors from Cure53 going through each of the TunnelBear applications, website, VPN infrastructure, backend, and various technologies that we've built and use to help maintain our service.

Reviewing the results

Through their testing, the Cure53 team reported a total of 13 issues this year, with only 7 considered to be of medium risk or higher. 12 out of the 13 identified issues have been fixed or mitigated.

...TunnelBear developers have overseen a marked security improvement with each passing round of testing.

Specifically, Cure53 reported a total of 6 informational/low-risk issues, 5 medium-risk issues, 2 high-risk issues, and 0 critical-risk issues. These findings are a major improvement compared to previous year's audits - making this year's results one of our best to date.

You can read the full report by Cure53 here.

Our commitment to transparency

These audits are only one of many different steps that we can take to maintain the integrity and security of TunnelBear, and provide you all with the transparency you deserve.

Put simply, we intend to continue conducting these audits each year, and look forward to scheduling our next security audit later in 2024.

Once again, thank you to Cure53 and to the entire TunnelBear development team. It's through their efforts that we are able to further improve our Bears, making them more secure than ever before.

Sincerely rawrs,

the TunnelBear Team