Club Benefits
Mullvad just completed a third-party audit of its payment and account systems. This assessment included the parts that handle logins, device provisioning, payments, and WireGuard key delivery.
The audit, done by security firm X41 D-Sec, put Mullvad's backend code under a white-box microscope.
What did the audit find?
The audit flagged five security-relevant issues, two low-severity and three medium, plus several smaller notes around general hardening. None of the findings exposed user data or compromised Mullvad's privacy guarantees.
The most notable issue involved a voucher race condition, where the same code could be used across multiple accounts. That glitch affected billing only and didn't leak personal info. Two of the medium-severity findings were redacted from the public report to avoid exposing potential availability risks, but Mullvad confirmed that those don't impact data confidentiality or integrity.
The informational notes covered opportunities to tighten backend security even further, such as improving mTLS between internal services, simplifying Nginx configurations, and signing the relay list. Mullvad says it's already reviewing those suggestions.
Why third-party audits matter
For privacy-focused services like Mullvad, external audits aren't just good PR: they're how users verify that a VPN does what it claims. With so much riding on privacy policies and backend infrastructure, third-party testing adds a layer of accountability you don't get from marketing pages or internal security checks.
VPNs routinely handle sensitive data: login credentials, payment tokens, device identifiers, and more. Even if a service promises not to log anything, users still need to trust that its systems are built to support that promise, and that there's no hidden risk in the code handling payments or provisioning. Audits like this one dig into exactly those areas.
Unlike privacy audits that focus on no-log claims, this was a technical deep dive into the systems behind the scenes. It didn't surface any red flags, but it gave Mullvad a chance to fix billing bugs, tighten service availability, and improve backend authentication design, all without compromising user privacy in the process.
Mullvad also published the findings, including details about what was redacted and why: another sign that transparency is still core to its approach.
We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.