We exist to serve our customers, offering them a VPN as a tool for increased privacy and security. If we become aware of a security incident in our service, we have disclosure processes in place to ensure maximum protection of our customers while also taking all other factors into consideration.
If customer data is at risk
Any security incidents that put customer data at risk will always be dealt with in the same way, regardless of the size or nature of the incident or how the information is acquired, such as from an audit or tip.
Our actions will include
- pinpointing the actual issues and allocating the appropriate stakeholders
- fixing the problem (changing keys, updating software, closing down servers)
- ensuring that the solution is propagated throughout our entire production
- disclosing detailed information about the problem once it has been mitigated and everyone is deemed safe.
Our security audit of the Mullvad app from September 2018 exemplifies our process in action from start to finish, including addressing the auditors' finds and publicizing them.
Operational incidents that don’t affect customer data
We will not disclose any details regarding incidents that do not put any customer data (PII, personally identifying information) at risk. If we were to discover an incorrectly configured or potentially vulnerable entity in our production environment that doesn’t affect customer data, this will simply be fixed by our teams and marked internally as a bug or security issue.
An internal incident report will be created which will contain how the issue was discovered and subsequently mitigated. This report will be saved in our internal knowledge base and all teams will be briefed on the impact our corresponding mitigations.