NordVPN requested the audit in the middle of last year, and it took Cure53 nearly 80 days between July and October 2022 to complete it. This is the second major security audit that NordVPN has reported this year. In January, the company revealed that it passed an audit by the accounting firm Deloitte. “The results of multiple audits prove that we are true to our policies,” Marijus Briedis, NordVPN’s chief technology office (CTO), told VPNOverview. Cure53’s founder and client-side security researcher, Dr. Mario Heidrich, echoed these same sentiments when we reached out. “We can say that this audit went well and didn’t yield any shady impressions whatsoever,” Heidrich said. “We’re, of course, most happy when we find issues of high or critical severity, where we can then actually see the fixes being created by the client and then being verified by us.”
Results of the Security Audit
Cure53 published two reports on its extensive assessment of NordVPN’s systems. The first focused on NordVPN’s desktop apps, browser add-ons, and backend services, and the second looked at its servers and infrastructure.
For the first audit, Cure53 looked at NordVPN’s Windows, Linux, macOS, and Android apps, as well as its browser extensions. The audit also included NordVPN’s websites, APIs, Threat Protection API, Pricing API, Nord Account, Nord Checkout, Nord UCP, VPN servers, and NordLynx VPN protocol code. Cure53 found that “the entire client-side complex has already made strong progress from a security perspective.”
“To provide a conclusory comment on mobile security in general, the NordVPN mobile applications garnered a robust impression and are observable effective in minimizing the attack surface,” the report said.
However, Cure53 noted some small inconsistencies in some parts of the codebase and areas of improvement. “Generally speaking, none of these incomplete schema validations led to significant security vulnerabilities,” Cure53 noted.
For the second audit, Cure53 “focused on a few key areas that were deemed most relevant to NordVPN’s network security in general.” This includes its services, containers, host machines, and network.
NordVPN’s “host setup and configuration was cleanly and concisely constructed, with evidence of sound security-principle implementation,” the audit report said.
“The NordVPN team has clearly focused on securing the network layer of its service,” it added.
Cure53 did report a few issues, including “a local sudo-rule configuration that was deemed unrefined, partially superfluous, and potentially dangerous” and some small issues with features being out of date and a problematic file system.
NordVPN said it had addressed all the issues Cure53 highlighted in the report. “All the detected critical, high, and medium severity vulnerabilities were fixed by our restless developers and approved by the Cure53 authority, ensuring that NordVPN implemented all mitigations correctly,” NordVPN said in a blog post.
NordVPN’s Dedication to Users’ Security
NordVPN was one of the first VPNs to complete an independent assessment of its no-logs claim, and the company says it remains “committed to our customers’ privacy and online security.” “We constantly develop new features that, in one way or another, increase our users’ privacy and security. Our infrastructure is configured in a way where no users’ activity is being monitored or stored while using our service,” Briedis said. Meanwhile, when asked about what things VPN providers could improve for better security and privacy, Dr. Heidrich told us that companies should focus on improving their products instead of exaggerated marketing. “More transparency, fewer buzzwords; more openness, fewer promises that providers might not even be able to keep. All in all, maybe less competition and competitiveness for the sake of profits only and more focus on what actually helps users,” he said. Interested in learning more about NordVPN? Check out our in-depth NordVPN review. You can explore some alternatives in our article on the top five best VPNs of 2023.