Over six years in the past, TunnelBear turned the first ever shopper VPN to publish a third-party safety audit to the general public. At the time, we had been hoping to affect the whole VPN business by setting a brand new normal for transparency and open communication. This is one thing that we’re glad to have seen develop into a brand new benchmark for which VPN suppliers worldwide at the moment are measured in opposition to.
That mentioned, there’s nonetheless a lot of work remaining. We’re planning on introducing much more new options to the TunnelBear app, we have now a a lot bigger deal with supporting anti-censorship applied sciences than ever earlier than, and we’ve been conducting our personal inner safety audits and enhancements which we hope to share extra about quickly.
In 2016, the TunnelBear staff made a dedication to proceed conducting public safety audits yearly, and we’re glad to lastly share the outcomes from 2022.
Conducting the audit
To start, we owe an enormous thanks to Cure53, the impartial cybersecurity agency that has been conducting our audits since 2016. An in depth effort was additionally put forth by our personal Pixel Bear and PhytoBear, who helped put together safe testing environments, entry to code, and assist throughout the auditing course of. Without these people, our 2022 safety audit wouldn’t be doable
The scope was well-prepared and clear… The TunnelBear staff delivered wonderful check preparation and assisted the Cure53 staff…
Cure53’s safety audit formally started in October 2022 – lasting a complete of 42 days and comprising of eight safety researchers from their staff. Cure53 went by every of the TunnelBear functions, our whole VPN infrastructure and backend, our frontend and public websites, the TunnelBear AWS infrastructure, and varied applied sciences we make use of on our community.
Reviewing the outcomes
Upon completion of their audit, Cure53 flagged a complete 32 points. While 17 of the detected points had been thought-about to be of minor threat and severity, that also left 15 safety vulnerabilities to be addressed by the TunnelBear staff. As of at the moment, 27 of the reported vulnerabilities have been resolved, leaving solely 5 remaining points.
One of the highlights from the audit was our frontend efficiency. While Cure53 did present hardening suggestions, the TunnelBear functions (particularly our cellular apps) and web site had been recommended for his or her safety and protecting measures.
However, it’s essential to notice the place we have to enhance, and Cure53 highlighted some important areas by which we will accomplish that.
Cure53 strongly recommends that the TunnelBear staff invests ample time and assets into additional growing its safety design ideas…
Even although greater than half had been of minor severity, 32 discovered points remains to be rather a lot. This showcases a better want for extra care and a focus as we develop our infrastructure and introduce new capabilities. Additionally, lots of the extra important points discovered revolved round community hardening – a necessity to cut back the floor space by which attackers may goal our VPN infrastructure.
So what’s subsequent for TunnelBear?
We intend to proceed conducting impartial public safety audits yearly and we have now already scheduled our seventh audit from Cure53 later this yr.
It’s essential to know that the accountability to take care of a safe VPN infrastructure doesn’t merely begin and cease with third-party audits. Alongside Cure53’s efforts to assist enhance our service, we’ve been conducting our personal inner safety and privateness audits as nicely. We intend to share our findings and enhancements as soon as full.
As all the time, we need to thank Cure53 for his or her detailed reporting, and the members of our staff that helped resolve the vulnerabilities discovered this yr.
See you subsequent time, and keep protected.