Oops, you’re right, that is (one of) the posts I was remembering. I was thrown off by the choice of the term pen-test (since I think the scope of the audit went beyond just penetration testing).
I think I don’t have much else to add beyond what has already been shared:
- Windscribe’s 2024 blogpost on the new infra and the audit(s) (edit: removed incorrect info)
- The results of the 2022 audit from Cure53 (pdf) and 2024 audit from Packet Labs (pdf)
- Your Link to @yegors comment on the scope of the audit. (I’d add this earlier comment which also touches on the scope of the audit), in particular that:
So the scope is VERY extensive, and included full access to the server and all source code running on it, and the auth infrastructure it connects to.
[…]
The scope of the audit is clearly stated in the document (and blog post), which states that full access to infrastructure and code was provided.
(edit: removed some things because I was wrong)
I do not understand why the 2024 audit was not linked to in the 2024 blogpost announcing the completion of that audit (or some subsequent followup blogpost), maybe they are waiting until they complete the rollout of the new infrastructure (started in July, target completion of late '24/early '25 iirc), or maybe it is some other reason. But in any case, in my eyes, releasing the findings of the 2024 audit should be a pre-requisite to getting listed I think.
2024-06-26 - Windscribe - Penetration Test Report.pdf (3.2 MB)