TunnelBear Completes Its 8th Annual Independent Security Audit
Published
- Annual Audit Completed: TunnelBear finishes its 8th independent security audit with full white-box testing.
- Findings & Fixes: Cure53 reports 13 vulnerabilities; all acknowledged and mitigated by TunnelBear.
- Ongoing Security Efforts: 2025 audit already done as company continues long-term security improvements.
TunnelBear has announced the completion of its eighth annual independent security audit, continuing the company’s long-running effort to verify its privacy and security practices through external testing. The VPN provider first began publishing independent audit results eight years ago and says the goal has remained the same: earning user trust through transparency rather than asking for blind confidence.
44-Day Audit Conducted by Cure53
TunnelBear confirmed that its 2024 audit was carried out by the cybersecurity firm Cure53. The assessment ran for 44 working days across October and November and involved eight senior auditors who worked directly with TunnelBear’s development team.
Cure53 performed a white-box audit, which means auditors were given full access to source code, configuration files, internal documentation, and backend systems. According to TunnelBear, the audit covered:
- TunnelBear’s applications
- Backend systems and server configurations
- Public-facing APIs and network entry points
- Data-handling processes and encryption layers
During the review, Cure53 identified 10 vulnerabilities rated medium severity or higher, along with 3 low-severity issues. The auditors also provided 10 additional recommendations categorized as minor improvements. These suggestions included enhancements such as better detection for jailbroken devices and limiting support for older operating systems.
TunnelBear states that all findings have been acknowledged and either fixed or mitigated.
Continuous Security Improvements
The company emphasized that security audits are an ongoing process rather than a single checkpoint. TunnelBear says each year’s findings inform internal improvements, and the 2024 audit led to updates across several areas, including:
- Streamlined internal monitoring and alerts
- Updated cryptographic libraries across all platforms
- Expanded automated testing to prevent regressions
- Additional separation of service components to reduce attack surface
The company described these efforts as part of a long-term commitment to strengthening both privacy and infrastructure reliability.
2025 Audit Already Completed
TunnelBear also revealed that its 2025 independent audit, its ninth consecutive review, has already been completed. The company is currently evaluating those results and working on the corresponding fixes.
Alongside annual third-party audits, TunnelBear says it has been collaborating with its internal InfoSec team throughout the past year to improve the systems used to operate its service. These efforts are expected to continue into 2026 as the company aims to further reinforce its security posture.
TunnelBear hinted that more updates and feature changes are planned for the near future, noting appreciation for users who have supported the service through eight years of published audits.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular