We are always working hard to make sure you are protected online. Our efforts are led by a team of 170+ tech experts, including programmers, security specialists, and IT architects. Here’s what we’re doing to give you the most secure VPN experience.
We’ve partnered with VerSprite, a leading US cybersecurity consulting firm, and are forming a committee of international cybersec experts to help us improve our service.
We introduced a bug bounty program to catch potential vulnerabilities with the help of our community.
We are preparing for a thorough independent security audit in 2020, which will cover everything from VPN software to internal procedures.
We are reviewing our criteria for the datacenters that we work with. We have also begun to build a network of collocated servers owned exclusively by NordVPN.
We are planning to upgrade to RAM servers, creating a centralized network where no data is stored locally.
Internal penetration testing
Our professional penetration testing team constantly probes the NordVPN infrastructure for weaknesses. These experts simulate real-world attacks to expose and patch up vulnerabilities.
We’ve launched a bug bounty program on HackerOne for ethical hackers to report security flaws for monetary reward. We encourage our community to analyze NordVPN’s website, apps, and services.
NordVPN completed an industry-first audit of its no-logs policy in 2018 and an app security audit in 2019. This year, we’re planning to audit our infrastructure — hardware, software, back-end architecture, source code, and internal procedures.
External security partner VerSprite
NordVPN has partnered with VerSprite, a global leader in cybersecurity consulting and advisory services. VerSprite will be performing a comprehensive penetration test, examining our intrusion handling, and providing us with vendor risk assessments.
Built around the cutting-edge WireGuard® protocol, Project NordLynx paves the way for fast and secure VPN connections that guarantee your privacy.
NordPass is a next-gen password manager built with your security in mind. Through advanced cryptography and zero-knowledge architecture, NordPass protects your online accounts while fully respecting your privacy.
NordLocker is an easy-to-use file encryption tool. Anything encrypted with the app can be safely stored or shared with others, making sure that your confidential data is safe in the event of theft or breach.
NordVPN Teams combines flexible online access with powerful encryption. Designed for business needs, it offers dedicated company servers, static IP addresses, third-party authentication, and more.
In November 2019, a hacker uploaded about 2,000 email and password combinations linked to NordVPN accounts. These credentials were obtained from other breaches that had nothing to do with NordVPN.
Our security team is always investigating stolen credentials lists to protect NordVPN users. We use rate-limiting and smart detection systems, and will also implement two-factor authentication (2FA) soon.
In March 2018, a single server we rented from a third-party Finnish data center was compromised. The breach occurred due to the data center’s negligence that we didn’t know about.
The intruders did not obtain any user activity logs, identities, usernames, or passwords. As soon as we learned of the breach, we terminated the server and thoroughly audited our network. To prevent similar incidents, we now encrypt the hard disk of each new server alongside other protective measures.
Scammers cloned our site at nord-vpn.club, offering a Windows version of our app which secretly contained the Win32.Bolik.2 trojan virus. This trojan would monitor user activity and steal banking details.
We promptly blacklisted the site and took it down. We also published detailed guidance on how to protect yourself from similar scams in the future.
In August 2018, a security researcher revealed a flaw in VPNs using OpenVPN protocols. By adding tiny bits to data before it is encrypted, the VVORACLE tool could theoretically let hackers read VPN traffic.
As soon as our technicians became aware of the vulnerability, they fixed it by disabling OpenVPN compression. We thoroughly tested our systems to make sure the fix worked and didn’t affect our service.
VPN Trust Initiative
In December 2019, NordVPN became a founding member of the VPN Trust Initiative. Led by the i2Coalition, the organization aims to give VPNs a unified voice in U.S. internet policy, focusing on stronger consumer digital security.
• We do not collect traffic logs and cannot be compelled to by anyone else.
• We never willingly provide user data, private keys, personal information, or access to a third party.
• We cannot be (and have never been) compelled to modify our systems to allow third party access.
• We confirm that we have full control over our infrastructure.