ProtonBlog(new window)

Proton Pass is open source and audited for security

Share this page

At Proton, we want you to be able to choose what happens to your personal information, which is why we’ve built a suite of encrypted services that put you in control. An integral part of giving you control is explaining exactly how our services work, including how they protect your information. This is the only way you can make an informed decision about who to entrust with the details of your life. 

Given the sensitive information you protect with your password manager, it’s crucial that you know exactly what’s happening inside it. Because Proton Pass is open source, anyone can inspect our code and ensure that the apps work as described(new window).

You can find the source code for Proton Pass here:

Review the code for all Proton apps

Proton Pass has passed an independent security audit

While being open source means that anybody can audit our code, not everyone has the time, technical expertise, or interest to pore over our apps’ code. That’s why we also regularly commission and publish independent security audits for all our apps.

Proton Pass’s code underwent a security audit by the German security firm Cure53(new window) throughout May and June. We selected Cure53 to handle the Proton Pass audit because we wanted to ensure that Proton Pass received the most rigorous testing possible, and Cure53 has extensive experience investigating browser extensions and password managers. They tested all Proton Pass mobile apps, browser extensions, and our API.

Cure53 had this to say about Proton Pass, “Proton’s extensive and thorough security assessment by Cure53 showcased their commitment to maintaining a high-level of security. With a moderate number of findings and most security vulnerabilities limited in severity, the overall state of security across Proton’s applications and platforms is commendable”. 

These results reflect Proton’s deep security DNA and help validate many of the architectural decisions we made with Proton Pass. There are also password management-specific considerations that this audit helped raise to our attention. For instance, we missed a case where an attacker might control a subdomain on a domain where the user has an account and thus trick a user who isn’t paying attention into accidentally entering their credentials. 

All issues reported in the security audit have been resolved except for the medium severity issue PRO-01-003 WP1, which unfortunately cannot be resolved at this time due to a platform limitation in Android (the Android operating system doesn’t currently provide the information that would be required to solve this issue). You can read the Proton Pass audit report(new window) for yourself. You can also find the audit reports for all Proton services.

Security you can trust and verify

As a company run by scientists (Proton was founded by scientists who met at CERN), we believe strongly in the scientific ethos of transparency and peer review. Proton’s security and privacy claims can be independently verified by others, and our open-source code allows our claims to be continually tested, verified, and even improved.

Instead of hiding vulnerabilities and relying on secrecy to maintain “security” like other companies, we subject all our services to rigorous public examination, allowing us to swiftly find and resolve any issues. 

For this reason, we also actively encourage the inspection and checking of Proton’s code through our public Bug Bounty Program(new window).  If you have questions or comments about Proton Pass, its security audit, or our approach to open source, please share them with us! Join the conversation on Twitter(new window) and Reddit(new window).

Protect your privacy with Proton
Create a free account

Share this page

Son Nguyen(new window)

Son is the Founder of SimpleLogin, which he continues to work on, along with Proton Pass. Previously, he was the director of engineering at Workwell and CTO at Fitle. Son graduated from Ecole Polytechnique with an MSc in computer science and was a gold medalist at the International Mathematical Olympiad.

Related articles

How to share a PDF
Sharing a PDF with coworkers, friends, or family members can sometimes be trickier than it seems if you’re trying to share a large file or if you want to use secure encryption. In this article, we show you how to share any PDF quickly, easily, and se
Proton Pass for Windows
Proton Pass is launching its new app for Windows, allowing you to access our password manager from your desktop. As one of our community’s most requested features, it’s available to everyone starting today. Proton Pass is the centerpiece of our effo
password policy
Businesses are increasingly dealing with the fallout from cybercrime: The number of attacks is on the rise and the damage done is growing exponentially. One of the most common vulnerabilities for organizations are their passwords. Since they are your
How to free up disk space
If you’ve ever owned an electronic device of any kind, you know the struggle of running out of space. No matter if it’s a smartphone, laptop, or desktop computer, there never seems to be enough room for all your files. Let’s show you some simple ways
What is 3-2-1 backup
Data backup is vital for businesses and individuals alike: In case something happens to your primary computer, you always have a copy of your data to fall back on.  How should you approach backup, though? The 3-2-1 rule can act as a guide when decid
What was your first pet’s name? In what city were you born?  We’ve all had to answer these questions to reset a long-forgotten password, but consider how that works. Much of this information is easy to find for others (or easily forgotten by you), m