Consumers and experts alike have good reason to question the security claims of the VPN industry. Over the last few years, many less reputable VPN companies have abused users' trust by selling their bandwidth, their browsing data, offering poor security or even embedding malware.
Being within the industry, it’s been hard to watch. We knew TunnelBear was doing the right things. We were diligent about security. We deeply respected our users' privacy. While we can’t restore trust in the industry, we realized we could go further in demonstrating to our customers why they can, and should, have trust in TunnelBear.
TunnelBear has completed the consumer VPN industry's first 3rd party, public security audit.
Today, we’d like to announce TunnelBear has completed the Consumer VPN industry's first 3rd party, public security audit. Our auditor, Cure53, has published their findings on their website and we’re content with the results.
In late 2016, we hired Cure53, a respected security company, to do a complete audit of our servers, apps and infrastructure. Using a “white-box” approach, they were given full access to our systems and code. Our original plan was to use their findings internally to confirm we were delivering on our promise to secure your browsing and proactively identify vulnerabilities. However, the recent crisis of trust in the VPN industry showed us we needed to break the silence and share Cure53’s findings publicly. Today we’re sharing a complete public audit which contains both the results from last year and the results from the current audit.
As the auditor, Cure53’s opinions and findings are their own, with the results being published on their website. TunnelBear was given the opportunity to provide feedback on the report, before it was published, where we felt findings were inaccurate or irreproducible. As is the case of most security audits, Cure53 was paid for their work. We wouldn’t expect any cybersecurity company to spend a few hundred hours auditing our code for free.
What were the results?
If you’ve already looked at the results, you’ve seen that the 2016 audit found vulnerabilities in the Chrome extension that we weren’t proud of. It would have been nice to be stronger out of the gate, but this also reinforced our understanding of the value of having regular, independent testing. We want to proactively find vulnerabilities before they can be exploited. We hadn’t intended to publish the 2016 results. However, we’re hoping the security community has appreciation for our candid transparency in the 2016 report and for demonstrating our investment in security over time.
All findings discovered in the 2016 audit were promptly addressed by TunnelBear’s engineering team and verified to be fixed by Cure53.
TunnelBear deserves recognition for implementing a better level of security
In the June 2017 audit, we were more content with the results. All vulnerabilities represented low-risk findings. As Cure53 put it, “The results of the second audit clearly underline that TunnelBear deserves recognition for implementing a better level of security for both the servers and infrastructure as well as the clients and browser extensions for various platforms”.
All findings discovered in the 2017 audit have also been addressed by TunnelBear’s engineering team with only informational findings remaining.
You can read the full report on Cure53’s website.
Our ongoing commitment to security
Our plan is to earn trust and move the VPN industry in a new direction around transparency. While many VPN companies will continue to live in obscurity, with claims of protecting your security, it’s our hope that by completing the industry's first 3rd party, public security audit, experts and consumers alike can be sure that TunnelBear delivers on its security promises.
. . .good security needs constant reevaluation.
If we’ve learned anything from this audit, it’s that good security needs constant reevaluation. Annual public audits will become routine to help us quickly identify vulnerabilities and demonstrate transparency in an industry where trust is sorely lacking. In the coming months we’ll share more announcements, industry insights and how-tos to give you the information you need to make the right choices about your security.
Update: There’s been a tremendous amount of excitement and interest in TunnelBear’s security audit. Originally, to keep the report at a reasonable length, we didn’t include the medium, low and informational findings. However, we’ve seen a surprising amount of interest in the details. Cure53 has published the low-level findings here. As with the previous findings, they’ve already been addressed by TunnelBear.