ExpressVPN is among the best VPNs out there and is also one of the very few service providers with its own VPN protocol – Lightway. According to the company, it puts privacy and security first, “without compromising on speed or connection reliability.”
And now, they are making it open source and are letting everyone read an independent audit of Lightway’s security by cybersecurity firm Cure53.
Specifically, Lightway’s source code has been published under an open-source license (GNU General Public License, Version 2), meaning that its core codebase is available for viewing (GitHub link) and contributing. Also, even other VPN providers can use it, if they fancy so — which is a nice addon we would add.
ExpressVPN also runs a bug bounty program to reward everyone who finds a bug in Lightway.
As for the mentioned audit, Cure53 conducted a penetration test and a source-code audit to confirm the strength of the protocol’s security. The findings were positive, with the report reading, “The codebase observed on Lightway Core follows consistent coding patterns and exhibits-in the testers’ view-a high quality.”
The assessment did identify several weaknesses, and ExpressVPN has since taken measures to mitigate the associated risks, which Cure53 verified as part of the audit.
In the same news announcing Lightway’s audit and open-source, ExpressVPN reminded us that it was the first in the industry to create TrustedServer – which runs only on volatile memory, or RAM-only. Since RAM requires power to store data, all information on a server is wiped every time it is powered off and on again-stopping both data and potential intruders from persisting on the machine.
ExpressVPN has previously open-sourced its browser extensions and leak-testing tools. Also, the company regularly commissions independent audits and assessments on its products as a way to test security claims and confirm them for the users.