ExpressVPN open-sources Lightway protocol and unveils security audit results

New Logo and Look
(Image credit: ExpressVPN)

Virtual private network provider ExpressVPN today announced the full public release of Lightway, its new custom VPN protocol. The company also unveiled what it called two new 'trust and transparency initiatives' for Lightway: the results of an independent security audit by cybersecurity experts Cure53 and the full open-sourcing of Lightway's code.

"Speed, performance, privacy, security, reliability—no one protocol had them all. That’s why we invested resources to build Lightway from the ground up for modern VPN needs. The two latest trust and transparency initiatives give us even more confidence to fully launch Lightway at scale...” said Harold Li, vice president, ExpressVPN.

The company backs up its words with some impressive Lightway stats. It claims tests show on average Lightway connects 2.5x faster than older protocols, improves reliability (that's few disconnections) by 40% and doubles speed. The protocol is also now available on all ExpressVPN's supported platforms: Android, iOS, Windows, Mac, Linux and routers.

Independent audit

In a welcome transparency move, ExpressVPN has released the results of a full Lightway source code audit (read more in the company's blog post) by Berlin-based penetration testers, Cure53.

In March 2021 the auditing team spent 22 person days working through the source code, using test binaries and talking to ExpressVPN. The final report lists its 'fourteen security-relevant discoveries', classifying five of these as security vulnerabilities, but none of those were critical. 

 The report conclusions raised some questions, but was broadly positive overall, saying the code is 'high quality', 'makes a relatively robust impression', and "the implementation should be good for production use..."

ExpressVPN patched the highlighted issues after the March 2021 audit, and Cure53 verified the fixes in a June 2021 follow-up. The full audit report is now available on Cure53's site.


ExpressVPN has put itself through audits before, including a browser extension checkup in 2019 and a full no-log server audit by PricewaterhouseCoopers. But while they were important, the latest audit is something new.

Several other VPN providers have their own proprietary protocols, including Hotspot Shield's Catapult Hydra and NordVPN's Nordlynx. VPN protocols are absolutely key to your privacy and security, so it's vital they're properly implemented. But, unfortunately, there's no way to judge if this is true, because none of the other top proprietary protocols have been audited or open-sourced.

(Hotspot Shield has a support article stating "Catapult Hydra security code is evaluated by 3rd party security experts from more than 60% of the world’s largest security companies that use our SDK to provide VPN services to their users. That's not the same as looking at the source code, though, and being able to read exactly what those security experts think of the protocol's strengths and weaknesses.)

Put it all together and this looks like a great show of confidence by ExpressVPN. Will it persuade others to open up about their own protocol secrets? Watch this space.

  • We've also highlighted the best proxy service providers
Mike Williams
Lead security reviewer

Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.