Have any of the published audit reports for these VPNs included critical vulnerabilities or significant recommendations, and how did each vendor respond?

1. NordVPN: high-severity findings, fast remediation and independent verification

Cure53’s audit work on NordVPN identified multiple serious issues — five high‑severity vulnerabilities across apps and server infrastructure in combined reports — but the firm reported no remaining critical vulnerabilities after NordVPN’s engineering team applied fixes, and Cure53 independently verified the patches were effective, a response presented as quick and thorough by both auditor and vendor ^[1]. TechRadar framed this as evidence audits function as a preemptive safety net when vendors act promptly, but it also noted audits examined specific components and thus could miss other risks if the scope were limited ^{[1] [3]}.

2. AmneziaVPN: critical faults found, resolved, and retested by funder-auditor

The Open Technology Fund–commissioned audit of AmneziaVPN by 7Asecurity found two critical and one high‑risk vulnerability, including remote code execution via malicious config import and an exposed admin API that could allow VPN config tampering, plus additional medium and low risks; the auditors reported that AmneziaVPN fixed the issues and retesting showed remediation was successful ^[2]. The OTF summary framed the disclosures and fixes as part of iterative, threat‑model driven auditing aimed at censorship‑resistance tools, illustrating that even specialized projects can harbour critical bugs which are manageable when a full white‑box review and follow‑up occur ^[2].

3. Mullvad and others: many findings, mostly non‑critical; watch for nuance in severity reporting

Aggregations and lists of public audits note auditors have often catalogued dozens of findings — for example, a report summary referenced by GreyCoder counted 20 findings for a vendor including medium and low severities rather than criticals — which demonstrates auditors commonly surface implementation issues and medium‑level weaknesses even when no single “critical” CVE is flagged ^[6]. This pattern matches industry commentary that audit reports typically rank vulnerabilities and that “no criticals” does not mean flawless security, only that the highest‑severity classes weren’t present in that scope at that time ^{[6] [4]}.

4. Systemic context: vendor patching, audit scope, and the real‑world exploit pipeline

Security researchers and industry reports stress that audits are a point‑in‑time tool: good reports include follow‑ups and verification of fixes, and omission of these steps weakens assurance ^[3]. Meanwhile, ecosystem monitors and incident trackers continue to document critical VPN appliance exploits (e.g., Ivanti, Fortinet, Citrix) that required emergency guidance or patches, underscoring that third‑party enterprise VPN products have been the source of urgent vulnerabilities exploited in the wild — a reminder that consumer VPN audit results exist alongside broader vendor‑product risk across the industry ^{[7] [8] [9]}. Auditors, vendors, and journalists each have incentives: auditors to be thorough and reputable, vendors to demonstrate security progress, and some coverage to highlight reassuring headlines — readers should therefore inspect full audit scope, severity lists, and whether retesting occurred rather than rely solely on press summaries ^{[10] [5] [4]}.

5. What the record shows and what it doesn’t

Published audit reports have indeed included critical vulnerabilities in multiple cases (AmneziaVPN is a documented example) and high‑severity issues in others (NordVPN’s Cure53 reports), with the common vendor response being immediate remediation followed by auditor verification when the engagement includes retesting; however, audit utility depends on breadth of scope, transparency about follow‑ups, and public availability of full reports, so absence of critical findings in a given report should be read in context rather than taken as absolute proof of no risk ^{[2] [1] [3] [4]}.