Are there any known vulnerabilities or audits (with dates) assessing DuckDuckGo’s encryption and privacy claims?

1. The headline audits and dates: what exists on the record

The clearest named external assessment on DuckDuckGo’s public pages is a Securitum audit focused on the company’s VPN, performed from October 1 to October 22, 2024, with the company summarizing that the audit found no critical vulnerabilities and listing remediations and accepted risks ^{[2] [3]}. Separately, a 2022 external audit — widely reported and discussed in industry coverage — described a “secret data flow list” and explained that DuckDuckGo’s browser did not block certain data transfers to Microsoft ad platforms in some contexts, a finding that sparked substantial debate about exceptions to its tracker‑blocking claims ^{[1] [9]}.

2. Vulnerabilities surfaced in reporting and tests

Investigative and technical reporting between 2022 and 2025 documented practical weaknesses: one set of findings showed that, under specific mobile‑network and VPN configurations in early 2024, the DuckDuckGo browser could fail to keep searches encrypted when an HTTPS connection dropped, which the company later patched according to summaries of those incidents ^[4]. Other critiques emphasize that DuckDuckGo’s approach sometimes leaves metadata or certain third‑party requests exposed (for example, when content is fetched via third‑party servers or when ad/syndication agreements apply), creating privacy gaps even if the company does not store logs itself ^{[9] [10]}.

3. What DuckDuckGo says and what reviewers confirm

DuckDuckGo publicly describes Smarter Encryption, forcing HTTPS where available, and says it does not store IP addresses or create user profiles for search results ^{[10] [7]}. Independent reviews and product tests in 2024–2026 often give the browser and its Privacy Pro bundle credit for practical protections—automatic HTTPS upgrades, tracker blocklists, and a Privacy Grade feature—while noting tradeoffs such as the lack of traffic‑level encryption beyond HTTPS and the remaining visibility to ISPs without a VPN ^{[5] [6] [7]}.

4. Gaps in scope: which products were audited and which were not

The published Securitum audit covered the VPN service specifically and is cited on DuckDuckGo’s help pages ^[2]. Other audits referenced in reporting focused on the browser’s data flows and tracker blocking ^[1]. Several mainstream reviews in 2024 noted the company had not released comprehensive third‑party audits covering all products and practices as of mid‑2024, a point raised by PCMag in June 2024 ^[8]. That suggests a fragmented audit record: contractual or product‑specific audits exist, but a single, public, audited statement covering the search engine, browser, extensions, and backend data practices together is not apparent in the provided reporting ^{[8] [2] [1]}.

5. How to interpret these findings and the remaining unknowns

The evidence in public reporting shows both validated controls (a named VPN audit in October 2024 and ongoing product transparency efforts) and validated weaknesses (the 2022 Microsoft data‑flow finding and early‑2024 HTTPS failure cases), which together indicate partial but not complete external validation of DuckDuckGo’s privacy claims ^{[2] [1] [4]}. Reviews praising the service’s practical privacy features coexist with criticism about exceptions, metadata exposure, and inconsistent audit publication, leaving unanswered questions about a unified, up‑to‑date independent audit that encompasses all core services ^{[5] [6] [8]}.