TunnelBear Performs First Ever VPN Security Audit

August 18, 2016

We’ve never hidden our fondness for the cartoony interface and the impressive quality of service offered by TunnelBear. Turns out, they also initiated the first ever VPN security audit. This is the exact factor required to build trust among (potential) users, which is an essential factor for VPNs to thrive on the market. 

This “extra mile” from a relative new-comer should be a lesson to older VPN companies as to how one substantiates its claims of high-level security. TunellBear still has a lot of wrinkles to iron out, but this is definitely a step in the right direction. 

TunnelBear Performs First Ever VPN Security Audit

Third Party Security Reassurance

TunnelBear’s team has always strived to demonstrate and prove the security level of their service. Apparently, they’ve decided to put their money where their mouth is, so they ordered a third-party security audit.  

They hired Cure53, an any-based penetration-testing company, to give their systems a proper run for their money. They gave Cure53 full access to their systems and coding back in late 2016. In 2017, another 8-day audit was also conducted.  

It’s the first time in VPN history that a company ordered this sort of testing and TunnelBear was very frank and open about the final results.  

Vulneraries Found


Back in 2016, two major flaws were discovered in TunnelBear’s Chrome extension, one of which enabled hackers to turn off the extension. The Mac app contained a vulnerability that allowed hackers to take over the device. Also, TunnelBear’s Android app and API contained three high vulnerabilities.  

All of these “soft spots” were addressed accordingly by the engineering team and Cure53 also verified them as fixed. TunnelBear representatives stated that “it would have been nice to be stronger out of the gate,” but they were glad they were able to fix all of the problems discovered. 

The latter audit found 13 additional problems, but only one was classified as a major issue. They have all been fixed promptly as well.  

The Purpose Of A Security Audit

We have to give credit to TunnelBear for going public with this information, even though such findings in an online security company could be a cause for concern.  

This opened them up to situations where a potential customer sees words “TunnelBear” and “vulnerabilities” and immediately runs away without looking back. So, we have to congratulate the bravery demonstrated by the team when they decided to go public with such potentially hazardous info. We wish every VPN company out there followed their example of disclosing their shortcomings and fixing them. 

Our opinion is that TunnelBear’s team took full responsibility for their software and owned their mistakes like true professionals. While we under no circumstances welcome vulnerabilities in VPN services, we definitely prefer knowing about them and seeing the team doing everything in their power to fix the issues and provide us with high-level online security.  

So, kudos to TunnelBear for setting an amazing precedent. It doesn’t make them a perfect VPN all of a sudden, but we can definitely see they’re trying. Keep it up.