We recently reported an incident involving NordVPN and a third-party datacenter. We’re deeply sorry for letting that mistake happen, but that’s not what this post is about. This is about explaining what we’re going to do to take our security to the next level and make sure nothing like that ever happens again.
As we learn from the past, our plan is focused on the future. Some of the steps have always been a part of NordVPN, but we will make them even stronger. Others are new features that will help us go the extra mile. This is what it will take for us to earn the trust of the public, our users, and the cybersecurity community.
We need to work with the best. That’s why we’re partnering with VerSprite – a leading US cybersecurity consulting firm – and gathering a committee of cybersecurity thought leaders and experts from around the world. This special team will help guide our efforts to overhaul our service and make sure we really stick to our commitments.
Penetration testers are a key part of our security efforts. Their job is to prod our infrastructure for weaknesses and find them before anybody else does. VerSprite will help our in-house team of penetration testers challenge our infrastructure and ensure the security of our customers with:
Our job is to anticipate and prevent bugs before they ever go live. If one does slip past us, the next best line of defense is a vigilant and engaged cybersecurity community prepared to help catch and fix it before it puts anyone at risk.
Over the next two weeks, we will introduce a bug bounty program. Bug bounties reward cybersecurity experts for catching potential vulnerabilities and reporting them to us so we can fix them. Bounty hunters get a well-earned payout, and NordVPN users get a service they know is scoured for bugs by thousands of people every day to make it as secure as possible.
We are setting the groundwork for a full-scale third-party independent security audit in 2020. More information is forthcoming as we work out the details, but we will keep the public notified.
This will include and may not be limited to:
Right now, the majority of the datacenters we work with meet or exceed numerous stringent security standards. As we continue to review our infrastructure, however, we will hold the datacenters we work with to even higher standards than before.
At the same time, we will also begin to build a network of collocated servers. While still located in a datacenter, collocated servers are wholly owned exclusively by NordVPN. A breach caused by a vulnerability left by a third-party server provider would be impossible.
We are preparing a plan to upgrade our entire infrastructure (currently featuring over 5400 servers) to RAM servers. These will allow us to create a centrally controlled network where nothing is stored locally. In fact, they won’t even have an operating system stored locally. Everything they need to run will be provided by NordVPN’s secure central infrastructure. If you seize one of these servers, you’re seizing an empty piece of hardware with no data or configuration files on it.
Nothing like this should have ever been possible and we apologize that it was. However, we’ve learned our lesson and we want to prove it to you with actions, not just words.
The changes we’ve outlined here will make you significantly safer every time you use our service. Every part of NordVPN will become faster, stronger and more secure – from our infrastructure and code to our teams and our partners.
We can’t promise 100% immunity – no one can. What we can promise is that we have taken this incident to heart and will do everything we can to improve and to win back your trust. We will come back from this even stronger – we owe it to you.
Note: Post updated on October 29th.