When you download a password manager and begin adding sensitive passwords for services like your email, bank and social accounts, you’re placing your trust in that service. As a customer, you expect the makers of your password tool to have created a service that is well designed and secure.
Over the past few years, we’ve watched the password management industry closely, and been troubled by what we’ve seen. We saw password managers implement poor security architecture that in some cases resulted in exposure of people’s passwords. After years of securing TunnelBear, we endeavoured to use our experience to build a more secure password tool.
Security from day one
RememBear has undergone an independent security audit prior to launch.
Today, we announced that the RememBear Beta is now public and available for download. With TunnelBear, we set the precedent that we would complete regular security audits of our products. We’ve now carried that practice through to RememBear, which has undergone an independent security audit prior to launch. Our auditor, Cure53, has published their findings on their website.
Security testing from architecture to launch
The RememBear team invested a lot of time up front into thoughtfully engineering the strong end to end encryption system that underpins RememBear. Before development began, our proposed architecture was shared with Cure53 for feedback.
After nearly a year of development, as we prepared to release RememBear to the public, we once again brought in Cure53 to do a complete audit of RememBear’s servers, apps and infrastructure. They reviewed a number of different iterations of our apps, allowing us to strengthen our approaches as we progressed through development. Using a “white-box” approach, they were given full access to our systems and code.
A public, independent audit
Today we’re sharing the complete public audit which contains feedback on both the initial design and the results from the current audit. As the auditor, Cure53’s opinions and findings are their own, and they have published the results on their website.
The RememBear team was given the opportunity to provide feedback on the report before it was published where we felt findings were inaccurate or irreproducible. As is the case of most security audits, Cure53 was paid for the audit.
What were the results?
we’re proud to share that no critical security issues were discovered.
From architecture, to development and testing, we work hard to proactively prevent and find vulnerabilities before they can be exploited. By working with Cure53 during the architecture and development stages, we’re proud to share that no critical security issues were discovered. All findings that were discovered have been addressed by the RememBear team prior to public release.
You can read the full report on Cure53’s website.
Our ongoing commitment to security
Our plan is to bring every ounce of our experience securing TunnelBear to RememBear and our new password management apps. We stand by our belief that good security needs constant reevaluation, which is why we’re committed to regularly scheduled audits for all of our products.
Being transparent, and proactively identifying vulnerabilities will be the cornerstone of our security approach. Over the coming months, we will also be sharing an in-depth look at the security implementation behind RememBear. We look forward to hearing your feedback and working to make RememBear even better.