Are DuckDuckGo's apps and extensions open source and audited for security?
This fact-check may be outdated. Consider refreshing it to get the most current information.
Executive summary
DuckDuckGo publishes some apps and extensions as open source and says it makes “the source code and data for many of our products and features available under open source licenses” [1]. The company has also commissioned at least one external security audit — its VPN was audited by Securitum in October 2024 — but reporting and third‑party audits show gaps and past vulnerabilities that were later fixed [2] [3].
1. What DuckDuckGo says about open source — partial transparency, not everything
DuckDuckGo’s own help pages state that it makes the source code and data for many products and features available under open source licenses, which indicates a selective rather than blanket open‑sourcing of all apps and services [1]. That phrasing leaves room for variability: some apps or features are public, others remain proprietary; the company’s statement does not enumerate which components are open vs closed on that page [1].
2. Independent reporting: audits and vulnerabilities have been public
Independent audits and reporting have surfaced security and privacy issues at DuckDuckGo that the company subsequently addressed. An October 2024 audit found technical exposures in the browser that could facilitate cross‑tracking on sites using outdated technologies; reporting says those issues were fixed after they became public [3]. This demonstrates that third‑party review has occurred and produced actionable findings [3].
3. Formal external audits: VPN example shows some third‑party review
DuckDuckGo publicly documents a formal external security audit of its VPN and supporting infrastructure carried out by Securitum from October 1–22, 2024; the company promotes this as the first external audit of that product since launch [2]. That shows DuckDuckGo has engaged outside firms for at least parts of its stack, and it published findings and mitigations on its help pages [2].
4. Criticism and trust damage: experts questioned exceptions and fixes after disclosure
Privacy experts and security commentators have criticized DuckDuckGo for exceptions and delayed fixes. Reporting claims the company made a “Microsoft tracking exception” and that independent security audits showed DuckDuckGo fixed issues only after they became public, which commentators say eroded trust among privacy advocates who had recommended the service [4]. Such critiques indicate a tension between DuckDuckGo’s privacy branding and the operational realities revealed by audits [4].
5. Open source initiatives and future plans reported by outside blogs — aspirational, not definitive
Some technology blogs have suggested DuckDuckGo may introduce more open source elements or make certain privacy features open source to boost transparency and community review [5] [6]. Those pieces frame open‑sourcing as a possible or planned initiative rather than confirmed, exhaustive disclosure; they should be read as forward‑looking commentary rather than documentation of current policy [5] [6].
6. What the sources don’t say — gaps you should note
Available sources do not provide a comprehensive inventory mapping every DuckDuckGo app or extension to an open‑source code repository, nor do they confirm that all apps/extensions are fully open source or that every component has been audited (not found in current reporting). They also do not include the full Securitum audit report text in the provided snippets, so details on scope and severity are only summarized on DuckDuckGo’s help pages [2] [1].
7. How to evaluate these claims yourself — practical steps
Verify whether a specific DuckDuckGo app or extension is open source by checking its project repository or the company’s open source listing; DuckDuckGo’s help pages are a starting point but do not act as a full audit log [1]. For security posture, look for named third‑party audit reports (as with Securitum for the VPN) and independent researcher writeups; past reporting shows issues were discovered and patched after disclosure, so seek timestamps and remediation details in audit documents [2] [3].
8. Bottom line — mixed picture: some openness, proven audits, but not universal or flawless
The evidence shows DuckDuckGo does open‑source some code and has engaged external auditors for products such as its VPN, and independent reporting has both flagged flaws and documented subsequent fixes [1] [2] [3]. Critics argue these episodes undermined trust because of exceptions and post‑disclosure patches [4]. If you require fully open, continuously audited software, the current reporting suggests you should verify each specific app/extension and audit independently rather than assume blanket open‑source status or exhaustive third‑party audits [1] [2] [3].