Most VPN companies publish an annual or biennial security audit as a PDF. You read three pages, see "no critical findings", feel reassured, move on. Here's a more honest picture: self-audit is the weakest form of evidence a VPN can offer, and almost every audit PDF you've read has been commissioned by the company being audited. That's not fraud — it's just a weak trust signal, and for a privacy product, weak signals matter.

Oxshield doesn't start from zero. We run unmodified Outline server software, which means our protocol-level security has already been independently reviewed — by multiple organisations, over multiple years, with public reports you can read in full. That's the audit chain we inherit, and it's the strongest Day-1 answer we can give you about whether this thing is safe.

The self-audit problem

When a commercial VPN publishes an audit, the usual arrangement looks like this: the VPN company hires a security firm, scopes the engagement (which endpoints, which code, for how long), pays the invoice, reviews the findings internally, and then publishes an executive summary. The auditors are capable and the findings are real, but the scope is set by the company. If your subpoena-handling process is out of scope, or if the server operating procedure is out of scope, no auditor will find problems there.

This is what we mean when we say self-audit is a weaker signal than it looks. Every major VPN has passed one. Several of them have also quietly handed over user data when pressed. The audit didn't catch it because that wasn't what the audit scope was.

What Outline is, and who audited it

Outline is the Shadowsocks-based VPN software built by Jigsaw, a unit inside Alphabet that works on anti-censorship tooling. Jigsaw commissioned three independent security reviews of Outline:

  • Radically Open Security (2018) — the original architecture review of the Outline Manager + Server + Client. Public report.
  • Cure53 (2019, 2022) — multiple focused reviews of the Outline server and client codebases, including penetration tests against running deployments.
  • Open Technology Fund — ongoing reviews as part of their Red Team Lab programme, which funds security work for anti-censorship tools used by human rights defenders.

All of these reports are public. The code is also public — Apache 2.0 licensed on GitHub at Jigsaw-Code/outline-server and outline-apps.

What we inherit — and what we don't

By running unmodified Outline, we inherit the protocol-level and server-level security review chain. Your traffic, once inside the tunnel, is handled by software that has been reviewed for:

  • Correct AEAD chacha20-poly1305 implementation
  • Key derivation and handshake integrity
  • Memory safety in the server code
  • Resistance to replay, downgrade, and traffic-amplification attacks
  • Safe handling of access key lifecycle (create/revoke/rotate)

What we do not inherit:

  • The security of the Oxshield dashboard and billing layer (our Next.js app)
  • The security of our Supabase integration and auth flow
  • The security of the Outline Manager API wrapper we use to provision user keys
  • The operational security of Oxshield-operated servers (how we patch, who has access, etc.)

Those pieces are ours. They need their own audit, and we plan to commission one when subscription revenue justifies the $15,000–$40,000 spend — realistically around month 4-6 after launch. We'll publish the report in full when it comes in.

The transparency we commit to now

Pending the infrastructure audit, here's what we do ship on Day 1:

  • Open source client — our Oxshield clients are a fork of the audited open-source stack, so the exact code running on your device is public and inspectable. Public source drop lands with the client launch.
  • Publishable server configuration — we'll share the Docker command and config files for our Oxshield-operated servers on request. No proprietary glue.
  • Protocol-level no-logs — Shadowsocks doesn't log traffic by default; we don't change that default. See our privacy policy for the full data picture.
  • Cert-pinned Manager API — the way our backend talks to each Outline server is authenticated by pinning the SHA-256 fingerprint of each server's TLS certificate. Our source code for this lives in the public repo; you can audit it.

What to read if you want to verify

Four useful links for the security-curious reader:

A VPN company's security story should be something you can verify, not something you have to believe. Ours starts with code you can read and reports you can download from firms who have no commercial relationship with us.