Security without scrutiny is just a claim. It’s why we built all our apps to be open source, and publish independent audit results for everyone to verify.
This year, Recurity Labs(nytt fönster), an ISO 27001-certified IT security consultancy, tested everything a Proton Pass user interacts with: the Proton Pass browser extensions(nytt fönster), mobile and desktop applications(nytt fönster), and Command Line Interface(CLI).
The security firm, with no financial ties to Proton, has nearly two decades of trusted experience in helping organizations secure complex systems and audited Proton’s password manager(nytt fönster) between January and April 2026.
Recruity Labs found Proton Pass’s overall security posture to be “well above par”.
Proton Pass is built on a solid security foundation
The audit confirmed Proton Pass security is exceptionally robust:
- No remote exploits found: Users cannot be hacked simply by visiting a malicious website or clicking a link.
- No encryption bypasses identified: Attackers can’t use shortcuts, backdoors, or weak keys to bypass the encryption layer.
Security audits are primarily an opportunity to test and improve our implementations. We’re grateful to the auditors at Recruity for helping us identify several areas for improvement beyond the core security requirements.
The report noted several observations — recommendations focused on strengthening practices like how secrets are managed in computer memory while the app is running.
Proton took these findings seriously and chose to implement fixes even for areas that fell outside our immediate threat model. During the retest, the desktop memory-handling issues were all resolved, demonstrating our commitment to acting on expert feedback and continuously improving our security posture.”
You can read the Proton Pass audit report for yourself. You can also find the audit reports for all Proton services(nytt fönster).
Transparency as a security feature
Proton was founded by CERN scientists who believe in peer review and verification. By keeping our code open and publishing independent audit results, we allow anyone to test our claims.
This rigorous public scrutiny helps us find and fix vulnerabilities faster, proving that transparency is the strongest foundation for privacy.
If you’re a security researcher, we invite you to check Proton’s code through our public Bug Bounty Program. If you have questions or comments about Proton Pass, its security audit, or our approach to open source, share them with us.
You can also join the conversation on X(nytt fönster) and Reddit(nytt fönster)
