TunnelBear has completed the first third-party public security audit in the consumer VPN industry.
The audit was conducted by the respected German firm Cure53, and the report is available on its website.
An audit had already been made in 2016, but results had not been made available publicly. However, as you may have noticed, a question has been rising: can you trust your VPN provider? It's exactly to answer this concern that the bear VPN decided to release the results of its audit.
Surprisingly enough, very few vulnerabilities were found this year, and none were critical. In fact, the only high-level issue identified was only exploitable with physical access to TunnelBear infrastructure. Indeed, permissions for sensitive information such as internal usernames and passwords were too "generous".
You could argue that the security company was paid by TunnelBear. But who would review thousands of lines of codes and pentest countless nodes for free?
The most important aspect of this report is progress: the first audit contained multiple critical vulnerabilities, which were fixed before the second audit. It shows the importance of having the security of your VPN service tested by a third-party.
A similar effort pursued by other providers is the creation of bug bounty programs. Instead of trying to hide bugs and vulnerabilites, a bug bounty bounty programs makes your VPN service safer, as looking for bugs is incentivized. Such an effort promotes the early and proactive detection of security problems. And it's always easier to fix bugs before they provoke catastrophes.