This TLDR is very wrong, and it sounds like the audit was not actually read, or you have an axe to grind for some reason…
Point #2: This is not a “serious vulnerability” (notice the actual severity on the issue - LOW) as this is only for rootfs, which is a blank slate server with no configs, secrets, or useful information. This also didn’t affect anything in production, as this is a pre-production audit. This was an oversight for sure, but that’s why we did the audit before going into production with this setup.
Point #3: This affected zero customers as the beta servers the select group used to provide us feedback never accessed the machine that the audit was performed on, where we did enable full logs for debugging, and forgot to put them back to how they were.
If you read the scope section, you will find the following:
This included the
ca-023.windscribe.comnode along with the security testing and manual source-
code review of the Windscribe cross-process communication and microservice stack.
So the scope is VERY extensive, and included full access to the server and all source code running on it, and the auth infrastructure it connects to.
There were so few findings because this is not the first audit (earlier Cure53 one had more findings), so if you actually read the whole thing, the results are pretty damn good (2 low severity issues, and one info).
Since you mentioned Mullvad, they did a VERY similar audit of their pre-production infra last year: Infrastructure audit completed by Radically Open Security | Mullvad VPN
Which resulted in:
RoS discovered 1 High, 6 Elevated, 4 Moderate, 10 Low and 4 info-severity issues during this penetration test.
All software has bugs, as everything is done by humans who make mistakes. I caution not to add emotion into the mix, or make baseless claims that are not backed up by facts.
Cheers