In-line with our commitment to perform an annual security audit of IVPN systems, we have commissioned the independent security auditing organisation Cure53 to conduct a security audit at the end of February 2023. We aim to publish the results of the audit no later than April 2023.
We have recently decided to upgrade our VPN gateway servers to a new major OS version which includes many configuration changes. The scope of the audit includes a pen-test and thorough security audit of the configuration of these new VPN gateway servers which are currently in a test environment, and due to go into production following the remediation of issues found by Cure53.
A note on the chosen scope and ‘no-logs’ audits:
In 2019 IVPN has commissioned a ‘no-logs’ audit to demonstrate that our service is not configured to collect and store information relating to customer connections.
After considering a repeat of this audit scope, we have decided that claims around ‘no logs’ audits can be misleading, or at best ambiguous to customers. We often remark that audits are just a snapshot in time. Any VPN service receiving a stamp of ‘no logs’ from independent evaluators can update their systems and start collecting sensitive customer information the following day.
For this reason, our aim this year, and from now on is arranging audits that focus on parts of our systems that have undergone significant updates. We believe such reviews meaningfully contribute to improving the security of our systems.
Suggest an edit on GitHub.