good security needs constant reevaluation. While many VPN companies will continue to live in obscurity, with claims of protecting your security, it’s our hope that by completing the industry's first 3rd party, public security audit, experts and consumers alike can be sure that TunnelBear delivers on its security promises. Our plan is to earn trust and move the VPN industry in a new direction around transparency. You can read the full report on Cure53’s website. As Cure53 put it, “The results of the second audit clearly underline that TunnelBear deserves recognition for implementing a better level of security for both the servers and infrastructure as well as the clients and browser extensions for various platforms”.Īll findings discovered in the 2017 audit have also been addressed by TunnelBear’s engineering team with only informational findings remaining. All vulnerabilities represented low-risk findings. In the June 2017 audit, we were more content with the results. TunnelBear deserves recognition for implementing a better level of security However, we’re hoping the security community has appreciation for our candid transparency in the 2016 report and for demonstrating our investment in security over time.Īll findings discovered in the 2016 audit were promptly addressed by TunnelBear’s engineering team and verified to be fixed by Cure53. We hadn’t intended to publish the 2016 results. We want to proactively find vulnerabilities before they can be exploited. It would have been nice to be stronger out of the gate, but this also reinforced our understanding of the value of having regular, independent testing. If you’ve already looked at the results, you’ve seen that the 2016 audit found vulnerabilities in the Chrome extension that we weren’t proud of. We wouldn’t expect any cybersecurity company to spend a few hundred hours auditing our code for free. As is the case of most security audits, Cure53 was paid for their work. TunnelBear was given the opportunity to provide feedback on the report, before it was published, where we felt findings were inaccurate or irreproducible. Today we’re sharing a complete public audit which contains both the results from last year and the results from the current audit.Īs the auditor, Cure53’s opinions and findings are their own, with the results being published on their website. However, the recent crisis of trust in the VPN industry showed us we needed to break the silence and share Cure53’s findings publicly. Our original plan was to use their findings internally to confirm we were delivering on our promise to secure your browsing and proactively identify vulnerabilities. Using a “white-box” approach, they were given full access to our systems and code. In late 2016, we hired Cure53, a respected security company, to do a complete audit of our servers, apps and infrastructure. Our auditor, Cure53, has published their findings on their website and we’re content with the results. Today, we’d like to announce TunnelBear has completed the Consumer VPN industry's first 3rd party, public security audit. TunnelBear has completed the consumer VPN industry's first 3rd party, public security audit. While we can’t restore trust in the industry, we realized we could go further in demonstrating to our customers why they can, and should, have trust in TunnelBear. We knew TunnelBear was doing the right things. Over the last few years, many less reputable VPN companies have abused users' trust by selling their bandwidth, their browsing data, offering poor security or even embedding malware.īeing within the industry, it’s been hard to watch. Consumers and experts alike have good reason to question the security claims of the VPN industry.
0 Comments
Leave a Reply. |