What technical audits or independent security assessments exist for DuckDuckGo’s local storage claims?

1. What formal external audits exist and what did they cover?

The clearest documented external review in the provided material is a Securitum audit of DuckDuckGo’s VPN and supporting infrastructure, which DuckDuckGo published as part of a transparency effort and reported no critical vulnerabilities in that scope; the company said it plans to run regular external audits for its VPN product ^[1]. That Securitum engagement was explicit about scope — the VPN and related infrastructure — and does not, by the description available in these sources, equate to a full security audit of the DuckDuckGo browser or search engine features like local storage behavior ^[1].

2. Where local storage concerns come from: researcher findings and critical reporting

Multiple independent researchers and critical outlets have reported technical weaknesses tied to DuckDuckGo’s handling of local storage, particularly in mobile and older desktop browser builds, including claims that HTML5 local storage items could persist after clearing cookies or cache and that older desktop versions left traces at the OS level ^{[2] [4]}. One named researcher, Zach Edwards, is cited in the reporting as discovering problematic behavior during a security review of DuckDuckGo’s Privacy Browser, and broader reporting has linked these findings to a reputational crisis for DuckDuckGo ^[2].

3. Gaps in publicly available formal verification

Reporting on DuckDuckGo’s practices emphasizes a perceived lack of formal, comprehensive privacy audits that would settle contested technical claims, with criticism pointing out the absence of independent verification covering the browser’s storage semantics and the search engine’s local storage practices specifically ^{[3] [2]}. The available Securitum report covers the VPN; the public help pages and CSP reporting address content security practices but are not the same as an independent audit of local-storage behavior across DuckDuckGo’s browser and apps ^{[1] [5]}.

4. Company controls and transparency mechanisms that are related but not equivalent

DuckDuckGo documents and publishes technical controls such as Content Security Policy (CSP) reporting to detect resource-loading or injection issues and says those reports are anonymous and used to validate CSP updates, which speaks to operational security hygiene but does not substitute for an audit that examines client-side storage persistence and clearing behavior ^[5]. DuckDuckGo also describes settings and anonymous cookie usage for search settings and display preferences, which some reviewers note can involve local storage or anonymous cookies for configuration — again, a distinct technical area from an audit affirming that local storage is never used to persist user-identifiable data ^[6].

5. How to read the evidence and what remains unverified

Based on the supplied sources, there is credible independent researcher reporting alleging local-storage vulnerabilities and some documented fixes in later releases, but no publicly cited, comprehensive third-party security assessment focused exclusively on verifying DuckDuckGo’s local storage claims appears in this set of materials; the only named external audit is of the VPN service and not the browser’s client-side storage behavior ^{[2] [4] [1]}. That means the debate in public reporting rests on researcher disclosures and company remediation statements rather than on a single, public, independent technical audit that definitively confirms or refutes all of DuckDuckGo’s local storage claims ^{[3] [2]}.