ExpressVPN's Lightway protocol goes open-source alongside fresh security audit

ExpressVPN open-source protocol Lightway code on a PC
(Image credit: ExpressVPN)

For the last year or so, ExpressVPN has been beta-testing its in-house Lightway protocol, and today it released the core code on GitHub, making it fully open-source. When it comes to proprietary protocols, this is unusual (but more than welcome) as it allows everyone to understand the underlying mechanics and any special sauce used. Furthermore, the full public release is paired with an independent audit of the code. 

As a demonstration of transparency to its users this is a big announcement, but for the industry as a whole, it's a statement of intent from ExpressVPN that it's looking to shore up its status as the best VPN, and is a leader when it comes to protecting its users and their data.

Why open source?

'Open-source code allows the global tech community to test and inspect the code, identify potential vulnerabilities, and improve overall security. Open-sourcing also enables anyone to assess for themselves whether the claims we make about Lightway and its architecture are true,' claims ExpressVPN in this blog post.

'Speed, performance, privacy, security, reliability—no one protocol had them all,' continues ExpressVPN vice president Harold Li. 'That’s why we invested resources to build Lightway from the ground up for modern VPN needs. The two latest trust and transparency initiatives give us even more confidence to fully launch Lightway at scale, and we are thrilled for more people to enjoy the benefits of Lightway,'

Independent audit

Independent audits mean that consumers don't have to take a VPN provider's claims on face value, and as such they are key tools in demonstrating a service's security. 

Cybersecurity firm Cure53 undertook the audit of Lightway's code (see the full report here), and in the process found 14 issues, none of which were considered 'critical'. While that might sound alarming, identifying these issues is one of the most important reasons for undertaking an audit – and as of July 2021, each of these findings has been addressed.

'The outcomes of this Cure53 assessment…are generally positive,' claims Cure53. 'The scope of the ExpressVPN Lightway protocol assessed by Cure53 in this project makes a relatively robust impression. This holds despite the number of findings listed in this report. It is crucial to observe that the fixes are rather trivial to implement.'

What does this mean for you?

In short, it means that Lightway has become more than a proprietary protocol, and ExpressVPN has taken these actions to cement itself as not only one of the most popular VPN services on the market, but also an innovator in the field.

Only time will tell if Lightway is adopted by other mainstream providers – something tells us that pride might get in the way in some cases – but as an exercise in transparency, the open-sourcing of the code and accompanying independent audit is certainly a step in the right direction.

Mo Harber-Lamond
VPN Editor

Mo is VPN Editor at Tom's Guide. Day-to-day he oversees VPN, privacy, and cybersecurity content, and also undertakes independent testing of VPN services to ensure his recommendations are accurate and up to date. When he's not getting stuck into the nitty-gritty settings of a VPN you've never heard of, you'll find him working on his Peugeot 205 GTi or watching Peep Show instead of finally putting up those shelves.