I posted a link from MRG in a thread but want to go further. While there're many good articles about VPN service & privacy, few about VPN & security (in narrow definition). We almost know nothing about each service's security, not just about firewall. Some services such as PIA, Mullvad, PP, ExpressVPN seems to have a kind of bug bounty but they're not transparent. It seems Express' bounty doesn't work as there's no mention in their release notes. Some, such as encrypt.me & HIDE.ME, had 3rd party audit but still not very clear about what it means. Audit may have privacy concern, but think about it...if a service has decent security but logs everything and sell that then they're no use for privacy minder. But if a service really doesn't log but their server have poor security thus any bad actor can easily compromise them, then there's no real privacy. (IIRC, some commercial VPN services deploy NIPS, it might be more serious privacy concern.) AirVPN's response to heartbleed was quick and good, but not sure for other services, nor other vulnerability if any (BTW all of best VPNs recommended in Wilders support public audit of OpenSSL or OpenVPN!). OVPN explain well about their physical security, but AFAIK no others do this. WhattheSEVER says they use OpenBSD which is by my knowledge probably the most secure OS, but I know little about what OS, software, hardware, network security measure etc. other service use. Any input will be appreciated. As I don't take security-through-anonymity much, I think these services should be more transparent. If someone tried to probe security of a service, it can be illegal unless there's pre-agreement so it will be hard to know, but bad guys won't care.