Another option I will bring up in this discussion:
If we feel like audits are somewhat important, but not strictly necessary, we could move audits to the best-case scenario criteria and prioritize providers that have them, but keep the door open to listing other providers as well.
This gets us dangerously close to “worth mentioning” territory which a lot of people here and on the team want to avoid on the site, but it is not completely unprecedented and definitely could be done in very specific categories like VPN providers, so I wouldn’t be opposed to this.
I am interested to know what everyone thinks about this possibility.
For some context, we previously did not have many criteria when it comes to trustworthiness and only really focused on technical capabilities, but in 2019 we added requirements for audits and public-facing leadership that were not really meant to be technical criteria, but criteria for trustworthiness and commitment to privacy, based on a fairly extensive VPN review performed by Wirecutter at the time.
This is also a criteria used by Consumer Reports:
Third-party security audits aren’t a guarantee that a VPN has no security flaws, but they are a sign of trustworthiness, especially if the reports are easily accessible to the public and outside security experts.