Independent audit confirms security of Lightway for the second time

ExpressVPN has published 12 third-party audits in the past year alone, bolstering its status as the most transparent provider in the industry
ExpressVPN news
2 mins
A magnifying glass over code signifying software audit.

A year ago, we publicly committed to investing in a greater frequency and quantity of third-party audits. We pledged to engage more independent cybersecurity experts to assess our products and validate the accuracy of our security claims. In the past year alone, we have published new independent audits of all of our mobile and desktop apps, our privacy policy, and key technologies such as TrustedServer, the Aircove router, and our Keys password manager.

Today, we’re happy to share our latest audit—that of Lightway, an open-source VPN protocol that we built from the ground up. The assessment was conducted by Cure53 in October and November 2022, and the project included a penetration test and a dedicated audit of Lightway’s source code. 

Lightway is an important technology; a VPN protocol forms the foundation of a VPN service, shaping every aspect of your experience. This is why we invited Cure53 to audit Lightway for a second time (the first assessment of Lightway was completed in 2021), and also expanded the scope of testing.

We’re proud to say that Cure53 issued a very positive report, identifying five low-severity issues and four informational issues. No critical, high, or medium issues were found. We have since remedied all addressable issues raised in the report, as also confirmed by Cure53 during a re-test in February 2023.

“Drawing on the combination of factors, namely the comprehensive coverage, low number of findings, and an absence of high-impact problems, it can be concluded that this Cure53 assessment of the ExpressVPN Lightway components concludes with a positive result,” Cure53 states in its report.

In summary, Cure53 found Lightway to be “in a very good state of security.” Read Cure53’s full audit report for Lightway.

Our commitment to trust and transparency

With this latest assessment, ExpressVPN has completed and published 12 third-party audits in the past year alone. This also means that we have published more audit reports than anyone else in the VPN industry, further increasing the trust and transparency of our service. 

Here is a list of all our past external audits, ordered chronologically:

These assurance engagements and security assessments complement our other trust and transparency efforts, including launching the VPN Trust Initiative, our bug bounty program, and publicly detailing our security practices.

We’re proud that we’ve helped to drive the VPN industry forward with technology innovations such as Lightway and TrustedServer. Our latest round of audits with unprecedented comprehensiveness is another example of how we are leading the industry forward to give internet users greater privacy and security.

Phone protected by ExpressVPN.
Privacy should be a choice. Choose ExpressVPN.

30-day money-back guarantee

A phone with a padlock.
Enjoy a safer online experience with powerful privacy protection
What is a VPN?
ExpressVPN is dedicated to your online security and privacy. Posts from this account will focus on company news or significant privacy and security stories.