Cure53 tests NordVPN’s app security

Key facts about the security assessment

In the second quarter of 2024, NordVPN commissioned Cure53 to assess our app security. Cure53 is a respected cybersecurity auditing firm based in Germany with over 15 years of experience in software testing and security reviews. 

The firm conducted a penetration test (pentest) and source code review of NordVPN applications, browser extensions, and features. Eleven senior security testers worked closely with our developers. They had full access to important documents, application builds, and source code. The assessment began in June 2024 and lasted 55 working days.

The assessment covered multiple NordVPN applications and features across different platforms:

• Android and iOS
• Windows, macOS, and Linux apps
• Browser extensions — Chrome, Edge, and Firefox
• Threat Protection Pro™ and Threat Protection (former Threat Protection and Threat Protection Lite), as well as Meshnet features
• Other VPN features and functionality

Key findings and positive highlights

Cure53 found that NordVPN uses well-established, security-focused libraries that contribute to the strong security of our system. But that’s not all we’re proud of. 

After extensive testing, the experts found no client-side vulnerabilities in browser extensions. The Chrome, Edge, and Firefox extensions passed the pentest without security concerns.

The auditors also determined that our service has strong VPN features. Their assessment confirmed that our VPN functionalities work as intended.

Cure53 praised our developer team for being quick and efficient in addressing issues. This feedback confirms our commitment to security and transparency.

NordVPN’s response: All issues fixed

As soon as Cure53 completed the assessment and published its report, we addressed the findings and strengthened the security of our service. Since the testers found some vulnerabilities, including several high level ones, our developer team carefully addressed these issues and fixed them.

We then carefully reviewed the remaining issues and implemented alternative solutions where possible, avoiding negative effects on the user experience or downgrading overall security posture. Our key focus was to eliminate any potential risks to our customers, which means you can continue using your NordVPN app with confidence, knowing your security remains intact.

The full report on the findings is available via the user control panel on our website or by following the link below:

Keeping security strong

This assessment shows why regular security checks are a must — cyber threats constantly change, and new risks appear every day. At NordVPN, we strive to stay ahead of threats by:

• Running regular pentests to catch vulnerabilities early.
• Monitoring security to detect and fix risks.
• Improving security practices to give our users the safest experience possible.

Implementing security is never finished, and we will keep improving. The latest Cure53 assessment confirms that NordVPN apps are built on a strong foundation with no critical risks. We are proud of these results and will keep making NordVPN one of the most secure VPN services available to everyone.