I don’t think audits are in the same category as port-forwarding. One is a security aspect, the other is a ‘convenience’. Also, VPNs are particularly sensitive. We shouldn’t lower the bar on VPNs.
2 Likes
We could arguably list public security audits under either section of the criteria,
Hi Jonah,
You reckon it would be good to list some of the top trusted and well-known and respected auditors too? To match the current requirement on the site anyway.
Not really because the scope of the audit can be highly limited by the requesting company. Cure53 can do good audits for example, but I have seen reports from them where the scope is so narrow that they didn’t really have a chance to look at anything we care about.
4 Likes
I see, so it depends on each individual audit and audit scope? Rather than one auditor that fits PG criteria in all their audits?
That’s correct.
1 Like
I think this is the same as the Open Source argument.
Why requiring open source if most people won’t read the code?
Why asking tax returns to our leaders if you’re not going to read them?
It’s simply about transparency and trust.
Having an audit is always a good thing. Unless, you solely make the audit to give the false impression that you’re being transparent, but it’s actually used only as a marketing strategy. That’s where the PG team comes in 
1 Like
Going to mark this one as rejected.
Audits while don’t ensure logging isn’t added afterwards, are good for a provider to do to make sure they haven’t introduced any breaking regressions to their infrastructure.
Audits to apps, ensure functionality (eg kill switch) actually works, and isn’t widely exploited in other ways.
No, we don’t want to open the door to every white label who sets up a vibe coded app with ai slop website and a wireguard server on a random VPS. This would be a downgrade to privacy for customers. If we reduced the criteria to that we simply wouldn’t recommend VPNs at all.
8 Likes