ExpressVPN's Lightway protocol passes second audit with flying colors

ExpressVPN on PC and Windows 10 devices
(Image credit: ExpressVPN)

One of the best VPN services around, ExpressVPN has been showing some serious commitment to users' privacy and security lately.   

The provider called in two independent auditing firms between spring and summer last year to check the reliability of its desktop apps in three security audits. Right after this, a separate check also proved the security of its software as both an iPhone VPN and Android VPN together with the reliability of its own password manager tool ExpressVPN Keys.

Now, in a continuous effort for transparency, experts at Cure53 were called in to assess ExpressVPN very own Lightway protocol for the second time in two years.  

Despite a few minor bugs, which the provider said to have already fixed, Cure53 was pleased with the findings gaining a "positive result" overall. 

Twelve independent audits in a year 

"With this latest assessment, ExpressVPN has completed and published 12 third-party audits in the past year alone - covering all of our mobile and desktop apps, our privacy policy, and key technologies," a ExpressVPN spokesperson told TechRadar.

"This also means that we have published more audit reports than anyone else in the VPN industry, further increasing the trust and transparency of our service."

This time it was ExpressVPN Lightway to be tested, the open-source VPN protocol that the provider developed from scratch.

The tests were conducted by Cure53 between October and November 2022. Experts evaluated all the components of the protocol, including the Lightway server and client, and shared libraries, with both a penetration test and a dedicated audit of the source code. A series of white-box tests was the methodology chosen to carry on the audit.  

Cure53 identified a total of nine issues. Among these, only three were classified as security vulnerabilities at low levels of exploitation.

"Quite clearly, the overall number of findings is moderate and can be interpreted as a good sign for the security of the inspected Lightway components," reads Cure53 final report (opens in new tab).

"Drawing on the combination of factors, namely the comprehensive coverage, low number of findings, and an absence of high-impact problems, it can be concluded that this Cure53 assessment of the ExpressVPN Lightway components concludes with a positive result."

Experts also reported good access and communication throughout the assessment period, noting how the ExpressVPN team provided prompt and excellent responses whenever requested.

Even better, the provider is said to have fixed all the issues and these have already been checked by Cure53 in February 2023. 

In a blog post (opens in new tab), ExpressVPN said to be very pleased with the outcomes. "We’re proud that we’ve helped to drive the VPN industry forward with technology innovations such as Lightway and TrustedServer

"Our latest round of audits with unprecedented comprehensiveness is another example of how we are leading the industry forward to give internet users greater privacy and security."

Chiara Castro
Staff Writer

Chiara is a multimedia journalist, with a special eye for latest trends and issues in cybersecurity. She is a Staff Writer at Future with a focus on VPNs. She mainly writes news and features about data privacy, online censorship and digital rights for TechRadar, Tom's Guide and T3. With a passion for digital storytelling in all its forms, she also loves photography, video making and podcasting. Originally from Milan in Italy, she has been based in Bristol, UK, since 2018.