I ask you something similar, why do you obsess about what I said?
I could be right, I could be wrong that heavy focus on marketing will affect their product. There’s no black and white here in this situation and I would love to be proven wrong.
obsess about what I said?
What are you even talking about?
I would love to be proven wrong.
Since you made no claim theres nothing to prove wrong. I just think its kinda stupid to imply marketing is an issue and then back off by saying “yeah bro idk after all”. Everyone can say “idk man” to anything but then their purpose is to question.
2 Likes
Very true. Even if they market it to the moon, I wouldn’t use it until it has been proven in real life like Mullvad. Beautiful animations and big words mean nothing. It could even be a honey pot. Who knows? It might be comparable to something like mullvad after ~10 years of proven track record but as of now, not even close. I would prefer Nord over it, as in that case at least I know what I am getting.
2 Likes
To clarify: The April 14, 2022 launch was for the mixnet (i.e. the network infrastructure). This March 13, 2025 launch was for the NymVPN apps / service (i.e. one app / service built on top of said infrastructure).
1 Like
Not confident (2025-05)
Are the people’s intentions trustworthy? I strongly believe so.
I’m not confident there has been pragmatic security talent at Nym thus far.
- Mad respect to Chelsea; her push for cryptography over tokenisation & perhaps other things she might’ve done.
- Good job outsourcing audits, not having one appsec wizard who quits and suddenly no one knows
- Good job announcing a bug bounty program will start soon
- Fantastic job genuinely giving a shit about privacy.
3 small points that raise enough of an eyebrow for me to pass for now. Juiciest is 3rd.
1. Bug Bounty Program
It’s common responsible disclosure programs say already-reported bugs are not rewarded. Yet, Nym want to wait until the Cure53 findings have been fixed (from a Dec 2024 blog).
That’s odd, not crazy-odd, but: Huh? Takes a day to whip up an initial program. Audits can be in remediation, list your scope, responsible disclosure process, contact email, etc. You want to build a community of testers who like your program - the earlier the better.
It’s not a huge deal. It’s a slightly bigger deal they’ve been running for 5+ years without one.
Look up MullVad & iVPN’s reporting pages, on the footer of their main websites. Minimal, sufficient.
2. No DKIM (at the time of writing)
- Check dmarcian (website) for nym com & nymtech com (As a new user, I can only post two links)
I won’t detail why this is a problem. It has cost other web3 companies significantly in the past.
Again, 5 years in, tech startup, emphasis on security, pretty odd.
- Check dmarcian (website) for mullvad and ivpn
3. Cure53 July 2024 audit summary (
THE JUICE YOU SEEK ):
Available here here.) Hope to see another engagement this year - Good job for organising it & publicising it, Nym team! Props.
In summary for me:
Nym respect security and privacy without question from me. That said, it perhaps has the plague of several academic-led crypto-startups in terms of how to approach security pragmatically.
If I knew someone targeted by the state specifically, I wouldn’t recommend most centralised VPNs. Some do respond to government requests. I would rather recommend a logless mixnet, however, with the little time I’ve devoted to sniffing the current security stature, I wouldn’t recommend this person Nym.
Or I’d say: Check again, after the next major audit.
For the less-targeted, I’d recommend MullVad/iVPN (Never worked for them or any VPN company).
Also of note: Potential ipv6 leaks here (ctrl+F privacy):
- Techradar Nymvpn Review Oct 2024
Unrelated Old-Man-Yells-At-Cloud Rant:
Web3 is largely dog-brained at “Web2” security, and is consistently compromised due to this. Even if your code audits are golden and you’re layer 1: Don’t throw the baby out with the bathwater & don’t end up on rekt.news
2 Likes
Thanks @dud1337 for the detailed feedback.
On the bug bounty program: You’re right, this should be standard practice. We’ve been handling security reports through GitHub/support channels, but a formal program has been ready since March - we just held off due to resource concerns while fixing connectivity issues. It’s launching very soon.
On DKIM: Our emails originate from nymtech.net with DKIM enabled, so that should be working properly.
On the Cure53 audit: Fair point. The team has implemented many of the recommended fixes and we’re continuously improving our security practices. We recently hired a cryptographic engineer to implement new cryptographic protocols securely, optimize existing code, and strengthen our overall security posture.
however, with the little time I’ve devoted to sniffing the current security stature, I wouldn’t recommend this person Nym.
Regarding ths overall recommendation against Nym - what would you need to see to change that assessment? Always interested in honest feedback from the community!
Also of note: Potential ipv6 leaks here
That review appears to be from September 2024. The apps have evolved significantly since then, so I’d encourage testing our current versions from Download NymVPN for macOS | Nym if you’re interested in a fresh evaluation. Or checking more recent reviews (such as https://www.zdnet.com/article/nymvpn-review/).
For @discussion_moderators can we consolidate this thread with Nym and NymVPN - Next-gen privacy with mixnet and VPN service Thanks!
1 Like