VPNs have a trust issue: Here's what TunnelBear did about it

A third-party security audit shows the VPN service's seriousness about protecting its customers.

The popular virtual private network (VPN) provider TunnelBear wants to earn your trust. The company just announced what it says is the first third-party public security audit in the consumer VPN industry. In short, a security company looked at TunnelBear’s servers, apps, and infrastructure to see if everything was up to snuff.

The VPN provider hired Germany-based penetration testing company Cure53. The security company was given full access to TunnelBear’s systems and code for 30 days in late 2016 and another eight in early 2017. The end result was two audits, which TunnelBear and Cure53 published Tuesday.

During the first audit, Cure53 found two critical vulnerabilities in TunnelBear’s Chrome extension, one of which allowed a malicious actor to turn off the extension. The auditors also found a critical vulnerability in TunnelBear for Mac that could allow a hacker to take over a user’s machine. All three vulnerabilities have since been patched.

Cure53 also found three high vulnerabilities—since patched—in the TunnelBear API as well as the Android app.

TunnelBear says it wasn’t proud of those results, but at least the vulnerabilities were discovered. During the shorter redo this summer, Cure53 said it found 13 other problems, but only one was of “high” severity. The others were medium to low threats that did not require urgent fixes.

For more information about VPNs, see PCWorld’s article on best VPNs of 2017.

Why this matters: One of the critical issues surrounding a VPN, or any software really, is trust. Can you trust the company you’re using to protect your privacy and provide you with a secure product? With some VPNs this isn’t such an easy question to answer, especially if you can’t even verify who’s running the company. TunnelBear took a big step by publicly releasing its security audits—most notably the 2016 one with all its problems.

The future: More audits

The one thing this audit didn’t address were the contents of TunnelBear’s privacy policy, such as its no-logging claim for users’ browsing habits. On that issue, it’s still up to you to decide whether you trust the company.

TunnelBear says its experience with Cure53 has inspired it to carry out an annual security audit from now on.

If you want to check out the audit results for yourself, you can read a summary on Cure53’s website (PDF).

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ian Paul

PC World (US online)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?