| Funnily, both ExpressVPN and NordVPN which you call out have been externally audited. NordVPN had the clients audited by VerSprite last year, and their No-log policy audited by PwC in 2018 and 2020. And a bug bounty program on HackerOne. [1] ExpressVPN - Windows Client was just audited by F-Secure in March, and server side audits by Cure54, and PwC in 2021 and 2019 respectively. And a bug bounty program on Bug Crowd. [2] --- For comparison Mullvad has been audited (Client security and Infrastructure (for privacy)) by Cure53 through 2020, and first was in 2018. Has no bug bounty, but they do still have a vulnerability disclosure program. [3] ProtonVPN, audits of the no-log policy in April, and clients in 2020. And they run their own bug bounty program.[4] --- I actually find it kinda interesting that while they've all had audits regarding privacy on the server side, only ExpressVPN has had a security audit of server side components. (Granted I've not look that deeply at this) [1] Annoying, you can only download the audit reports if you Login then click Reports in the menu [2] https://www.expressvpn.com/blog/?s=audit [3] https://mullvad.net/en/blog/tag/audits/ [4] https://protonvpn.com/blog/?s=audit |