ExpressVPN's Lightway protocol passes second audit with flying colors

ExpressVPN on PC and Windows 10 devices
(Image credit: ExpressVPN)

One of the best VPN services around, ExpressVPN has been showing some serious commitment to users' privacy and security lately.   

The provider called in two independent auditing firms between spring and summer last year to check the reliability of its desktop apps in three security audits. Right after this, a separate check also proved the security of its software as both an iPhone VPN and Android VPN together with the reliability of its own password manager tool ExpressVPN Keys.

Now, in a continuous effort for transparency, experts at Cure53 were called in to assess ExpressVPN very own Lightway protocol for the second time in two years.  

Despite a few minor bugs, which the provider said to have already fixed, Cure53 was pleased with the findings gaining a "positive result" overall. 

Twelve independent audits in a year 

"With this latest assessment, ExpressVPN has completed and published 12 third-party audits in the past year alone - covering all of our mobile and desktop apps, our privacy policy, and key technologies," a ExpressVPN spokesperson told TechRadar.

"This also means that we have published more audit reports than anyone else in the VPN industry, further increasing the trust and transparency of our service."

This time it was ExpressVPN Lightway to be tested, the open-source VPN protocol that the provider developed from scratch.

The tests were conducted by Cure53 between October and November 2022. Experts evaluated all the components of the protocol, including the Lightway server and client, and shared libraries, with both a penetration test and a dedicated audit of the source code. A series of white-box tests was the methodology chosen to carry on the audit.  

Cure53 identified a total of nine issues. Among these, only three were classified as security vulnerabilities at low levels of exploitation.

"Quite clearly, the overall number of findings is moderate and can be interpreted as a good sign for the security of the inspected Lightway components," reads Cure53 final report.

"Drawing on the combination of factors, namely the comprehensive coverage, low number of findings, and an absence of high-impact problems, it can be concluded that this Cure53 assessment of the ExpressVPN Lightway components concludes with a positive result."

Experts also reported good access and communication throughout the assessment period, noting how the ExpressVPN team provided prompt and excellent responses whenever requested.

Even better, the provider is said to have fixed all the issues and these have already been checked by Cure53 in February 2023. 

In a blog post, ExpressVPN said to be very pleased with the outcomes. "We’re proud that we’ve helped to drive the VPN industry forward with technology innovations such as Lightway and TrustedServer

"Our latest round of audits with unprecedented comprehensiveness is another example of how we are leading the industry forward to give internet users greater privacy and security."

Chiara Castro
Senior Staff Writer

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com