Security audit
Last updated: 24 April 2026
Current status
Cloak VPN has not yet commissioned a third-party security audit of our infrastructure or client code. We believe in being direct about this rather than implying otherwise.
What is audited today
The cryptographic protocols we rely on have been independently reviewed:
- Rosenpass, the post-quantum key-exchange daemon we use to feed a fresh pre-shared key to every WireGuard tunnel every ~120 seconds, has been formally verified and published in peer-reviewed academic work. See the Rosenpass project site for the protocol spec, machine-checked proofs, and the papers.
- WireGuard, the data-plane protocol itself, has been extensively reviewed since 2017, including formal verification work presented at IEEE S&P 2018 and the original Noise framework analysis. See wireguard.com/formal-verification.
- X25519-MLKEM768, the hybrid post-quantum key exchange used on our control-plane TLS 1.3 endpoints, is a NIST-standardized combination shipped by Cloudflare, Apple, and Google in 2024–2025.
In other words: the cryptography we depend on has been audited. Our integration of that cryptography into a production VPN service has not, yet.
Planned audit
We intend to commission an audit of our server-side provisioning code
(server/api/internal/wg), our concentrator setup scripts, and — when they
ship — the native Cloak iOS and Android clients. Our plan is to do this once the
service has enough revenue to fund it properly, which we expect to be around
1,000 active subscribers.
Audits we are evaluating: Cure53, Radically Open Security, and Trail of Bits — the same firms Mullvad, Proton, and other privacy VPNs have historically used.
What you can verify today
Until the audit is done, the most useful thing you can do is read the code yourself. The entire infrastructure repository — server scripts, Terraform, the Go API that provisions peers — is public:
github.com/dangerfield33/cloakvpn
If you find a bug or a claim that doesn't match the code, email [email protected]. We will fix it (and credit you, unless you'd rather stay anonymous).
When an audit is completed
The full audit report will be published on this page, unredacted, along with our written responses to every finding and the commits that address them.