For the past year or so, ExpressVPN has been beta testing its in-house Lightway protocol and today released its core code on GitHub, making it fully open source. This is unusual (but welcome) for a proprietary protocol, as it allows everyone to understand the underlying mechanics and the special sources used. Furthermore, this full disclosure is coupled with an audit of the code by an independent body.

As a demonstration of transparency to users, this is a major announcement, but for the industry as a whole, it is a statement of intent that ExpressVPN is seeking to strengthen its position as the best VPN and is a leader when it comes to protecting users and their data.

"Open source code allows the worldwide technical community to test and inspect the code, identify potential vulnerabilities, and improve overall security. Open-sourcing also allows everyone to evaluate for themselves if the claims we are making about Lightway and its architecture are true," ExpressVPN claims in this blog post.

"No single protocol has it all: speed, performance, privacy, security, and reliability," continues ExpressVPN Vice President Harold Lee. That's why we invested the resources to build Lightway from the ground up to meet modern VPN needs. Independent audits are an important tool to prove the security of a service, meaning that consumers do not have to take VPN providers' claims at face value.

Cybersecurity firm Cure53 undertook an audit of Lightway's code (full report here) and in the process found 14 issues, none of which were deemed "critical." As alarming as this may sound, identifying these issues was one of the most important reasons for conducting the audit, and as of July 2021, each of these findings has been addressed.

"The results of this Cure53 assessment are... . generally positive," Cure53 claims. The scope of the ExpressVPN Lightway protocol evaluated by Cure53 for this project appears relatively robust. This holds true despite the number of findings described in this report. Implementing the fixes is quite straightforward.

In short, Lightway has moved beyond proprietary protocols, and ExpressVPN has done so in order to establish itself not only as one of the most popular VPN services on the market, but also as an innovator in this field It is.

Only time will tell if Lightway will be adopted by other mainstream providers - I have a feeling that pride will get in the way in some cases - but in terms of increased transparency, open sourcing the code and the accompanying independent audit is definitely a step in the right direction There is no doubt about it.