Has DuckDuckGo released the full third-party VPN audit report and what did it find?
Executive summary
DuckDuckGo has published the full third‑party security audit of its VPN conducted by Securitum and makes that report available through its help pages, stating the audit found no critical vulnerabilities and describing remediations and accepted risks [1]. Independent reviews and tech press coverage summarize the same conclusions — no evidence of logging and several medium/high issues were fixed — while cautioning that audits are snapshots, not guarantees [2] [3] [4].
1. What was audited, and has the full report been released?
DuckDuckGo says the audit covered its VPN and supporting infrastructure — including backend APIs and client apps — and that it partnered with security firm Securitum to perform a “comprehensive security audit,” with the full report available for public reading on DuckDuckGo’s help pages [1] [2]. Earlier reporting noted the company’s promise to publish the full audit once complete (WIRED, CNET), and the company followed through according to its own documentation [5] [6] [1].
2. The headline findings: what did the auditors conclude?
Summaries in multiple outlets and DuckDuckGo’s own help page report that the audit identified no critical vulnerabilities and found no evidence of logging tied to user activity, supporting DuckDuckGo’s no‑logs claim; it also identified a set of issues — described in some reports as six medium‑ and high‑risk items — that the company remediated [1] [2] [3] [4]. DuckDuckGo frames the audit as a validation of its security posture while acknowledging some accepted risks and planned ongoing audits [1].
3. How independent and conclusive is this audit?
The audit was performed by Securitum, a third‑party security firm, which provides more independence than in‑house assessments and is widely viewed as a credibility signal in VPN reviews [2] [3]. However, reviewers and privacy commentators stress that audits are point‑in‑time evaluations that don’t immunize a service from future misconfiguration, data exposures, or business‑model questions; some earlier criticism of DuckDuckGo emphasized a lack of comprehensive independent audits of its broader privacy practices even before the VPN audit [7] [5]. The available reporting makes clear that the Securitum audit improves transparency but does not resolve all trust questions around long‑term operations and vendor ties [5] [7].
4. What unresolved questions and alternative viewpoints remain?
While the audit’s finding of “no critical vulnerabilities” and “no evidence of logging” is repeated across DuckDuckGo’s help page and independent reviews, skeptical voices note that audits differ in scope and methodology — some critics previously flagged gaps in DuckDuckGo’s privacy guarantees and questioned exceptions like past Microsoft tracker allowances, which critics say are separate but relevant to overall trust in the company’s privacy posture [7] [8]. Reporting does not provide evidence that the audit addressed every hypothetical threat model (for example, long‑term operational logging practices under legal compulsion or third‑party subcontractor risks), and the published summaries and press coverage caution readers that audits are useful trust signals but not absolute proof [2] [3].
5. Bottom line — what a reader should take away
The factual record in DuckDuckGo’s documentation and multiple technology reviews indicates the full Securitum VPN audit has been released and concluded with no critical vulnerabilities, no evidence of logging, and a set of medium/high findings that DuckDuckGo fixed and disclosed [1] [2] [3] [4]. That represents a meaningful step toward transparency, but independent experts and critics remind the public that an audit is a snapshot and that sustained transparency — regular, methodologically clear audits and ongoing operational disclosure — is necessary to maintain trust over time [2] [7].