Independent audit confirms security of Lightway for the second time

A year ago, we publicly committed to investing in a greater frequency and quantity of third-party audits. We pledged to engage more independent cybersecurity experts to assess our products and validate the accuracy of our security claims. In the past year alone, we have published new independent audits of all of our mobile and desktop apps, our privacy policy, and key technologies such as TrustedServer, the Aircove router, and our Keys password manager.

Today, we’re happy to share our latest audit—that of Lightway, an open-source VPN protocol that we built from the ground up. The assessment was conducted by Cure53 in October and November 2022, and the project included a penetration test and a dedicated audit of Lightway’s source code. 

Lightway is an important technology; a VPN protocol forms the foundation of a VPN service, shaping every aspect of your experience. This is why we invited Cure53 to audit Lightway for a second time (the first assessment of Lightway was completed in 2021), and also expanded the scope of testing.

We’re proud to say that Cure53 issued a very positive report, identifying five low-severity issues and four informational issues. No critical, high, or medium issues were found. We have since remedied all addressable issues raised in the report, as also confirmed by Cure53 during a re-test in February 2023.

“Drawing on the combination of factors, namely the comprehensive coverage, low number of findings, and an absence of high-impact problems, it can be concluded that this Cure53 assessment of the ExpressVPN Lightway components concludes with a positive result,” Cure53 states in its report.

In summary, Cure53 found Lightway to be “in a very good state of security.” Read Cure53’s full audit report for Lightway.

Our commitment to trust and transparency

With this latest assessment, ExpressVPN has completed and published 12 third-party audits in the past year alone. This also means that we have published more audit reports than anyone else in the VPN industry, further increasing the trust and transparency of our service. 

Here is a list of all our past external audits, ordered chronologically:

• An audit by Cure53 of the ExpressVPN Keys browser extension (October 2022)
• An audit by Cure53 of the ExpressVPN browser extension (October 2022)
• An audit by KPMG of our no-logs policy (September 2022)
• A security audit by Cure53 of our app for iOS (September 2022)
• A security audit by Cure53 of our app for Android (August 2022)
• An audit by Cure53 of our Linux app (August 2022)
• An audit by Cure53 of our macOS app (July 2022)
• A security audit by Cure53 of our Aircove router (July 2022)
• A security audit by Cure53 of TrustedServer, our in-house VPN server technology (May 2022)
• An audit by F-Secure of our Windows v12 app (April 2022)
• A security audit by F-Secure of our Windows v10 app (March 2022)
• A security audit by Cure53 of our VPN protocol Lightway (August 2021)
• An audit by PwC Switzerland on our build verification process (June 2020)
• An audit by PwC Switzerland of our privacy policy compliance and our in-house technology TrustedServer (June 2019)
• A security audit by Cure53 of our browser extension (November 2018)

These assurance engagements and security assessments complement our other trust and transparency efforts, including launching the VPN Trust Initiative, our bug bounty program, and publicly detailing our security practices.

We’re proud that we’ve helped to drive the VPN industry forward with technology innovations such as Lightway and TrustedServer. Our latest round of audits with unprecedented comprehensiveness is another example of how we are leading the industry forward to give internet users greater privacy and security.