What an audit means here
“Audit” gets used loosely in the VPN industry — sometimes it means a security firm spent a week running automated scans, sometimes it means a deep code review with privileged server access. GhostShield audits are the deep kind: auditors are granted shell access to staging infrastructure that mirrors production, they run their own scripts against our code, and the report covers methodology in enough detail that another firm could repeat the work.
We commission three kinds of audits across the year:
1. Privacy audits (annual + ad-hoc)
A privacy audit checks the runtime behaviour of the production VPN service against our published no-logs claim. The auditor verifies that the WireGuard control plane writes no connection metadata to disk, that DNS resolution paths do not bypass the tunnel, and that operational logs (errors, crashes) do not contain user-identifying fields. The output is a yes-or-no answer to the question “does GhostShield retain anything that could identify a user?”
2. Cryptographic audits
A cryptographic audit reviews protocol implementations. We use WireGuard with ChaCha20-Poly1305 — both well-studied — but configuration matters. The auditor verifies key derivation, nonce handling, key rotation, and our defence against known attack classes (Heartbleed-style memory leaks, timing-channel attacks, downgrade attacks).
3. Infrastructure audits
The infrastructure audit is the most expensive and the hardest to fake. Auditors visit a sample of our server locations physically (or remotely via dedicated KVM access) and verify that the running OS image matches what we publish, that no persistent disk is mounted, and that reboots actually wipe state. We commit to publishing at least one infrastructure audit per year.
What we do not audit (and why)
We do not audit our user-facing apps for “the absence of telemetry” on a quarterly basis. The Windows and Android binaries are signed and reproducible from source. Any user can build the source themselves, compare the hash, and verify there are no surprises. Publishing reproducible builds is a stronger guarantee than a periodic audit because anyone, any time, can run the verification.
How audit findings get handled
Findings are categorised on standard severity scales (CVSS for security, qualitative for policy issues). For every finding, this page records:
- The original auditor description and severity.
- Our remediation plan and target date.
- The actual remediation date and a re-audit confirmation, where applicable.
- If a finding cannot be remediated quickly, the workaround and its expiry.
Findings are never silently rewritten or removed. Where the original auditor's wording was wrong (it has happened), a correction note appears alongside the original.
Why we publish audit dates before audits happen
Trust pages on competing VPN sites typically list only completed audits. The selection bias is obvious: if an audit went badly, you would not advertise it. Publishing the schedule before the work begins removes the option of quietly dropping an unflattering result.
FAQ
Why no completed audits yet?
GhostShield launched in 2025. The first audit is scheduled for Q2 2026 — early enough that the company has meaningful infrastructure to audit, late enough that the audit is meaningful rather than ceremonial. We are not the first VPN to delay the first audit past the launch year, but we are committing to a public schedule with named firms, which most do not.
Why those specific auditors?
Cure53 has audited Mullvad, Proton VPN, ExpressVPN, and a long list of privacy products; they are the default choice for VPN privacy audits in the EU. Trail of Bits is a top US cryptographic-review firm with deep WireGuard experience. NCC Group does on-site infrastructure work for several of the privacy-focused services. Where their schedule does not align with ours, we substitute Kudelski Security or Doyensec.
Can I see a draft of the Q2 audit's scope of work?
Yes — email audits@ghostshield.ai and we will send the signed engagement scope, with commercial terms redacted. We treat the scope of work as effectively public.
What if an audit finds a serious issue?
We will publish the finding, the remediation plan, and the remediation deadline on this page, and email all paying customers with the same information within 7 days of confirming the finding. The bar for “serious” is anything that would let an attacker identify a specific user's traffic, or compromise the no-logs claim.
How can users verify a finished audit was real?
Every published audit report is accompanied by an auditor-signed PDF, the auditor's contact information, and where applicable a posted entry on the auditor's own website confirming the engagement. You can email the firm directly to confirm.