VPN Security Scoring: What Our Signal Means and Why It Matters

At Anonymous VPNs, every provider we recommend carries a security score. It’s one of the most important parts of our methodology—though not the only one. Security matters differently depending on your use case: a whistleblower in China will weigh it more heavily than a student unlocking BBC iPlayer. That’s why IVPN and Mullvad dominate our Best VPNs for Privacy, while NordVPN and ExpressVPN rank high among the Fastest VPNs despite lower security scores.

Our scoring model is rule-based and explanatory. Providers begin at a baseline, lose points for risks, and earn bonuses for transparency or real-world proof. The end result reflects not just technical features but also jurisdictional, operational, and reputational risk.

Why jurisdiction matters (and how court-proof can offset it)

Where a VPN is based defines what it can be compelled to do. Countries inside the 5/9/14-Eyes alliances have broader intelligence-sharing obligations, secret orders, and cross-border pressure. That’s why jurisdiction/Eyes is one of our strongest signals.

The gold standard no-log proof is real-world evidence that a provider doesn’t keep logs—e.g. a police raid or court case where no usable data was produced but we also look at the providers history of no log audits. This kind of “court-proof” can offset but not erase jurisdiction risks. The provider didn’t keep logs and were able to demonstrate this, but secret orders can compel future logging.

How the Scoring Model Works

1. Start from a perfect baseline.
   Every provider begins with full marks.

2. Subtract penalties for weaknesses.
   Jurisdiction risks, missing audits, trackers, or weak features reduce trust.

3. Add bonuses for strengths.
   Transparency (like open-source apps), advanced protections (multi-hop), or proven no-logs events boost trust.

4. Apply a structural cap.
   Fundamental risks (e.g. 5-Eyes jurisdiction, hostile ownership) limit the maximum possible score, preventing “checklist features” from washing out deep flaws.

5. Clamp between 0–100.

Major Signals Considered

Country of jurisdiction (country_located)

• What it is: Where the VPN company is legally incorporated (e.g. Panama or the British Virgin Islands).
• Why it matters: Local laws (data retention, gag orders, warrants) define what can be compelled. Outside major alliances generally means lower cross-border risk.

Intelligence-sharing membership (in_eyes)

• What it is: Membership in 5/9/14-Eyes alliances.
• Why it matters: Members are more likely to share surveillance data and enforce secrecy orders.

No-logs audits (no_log_audits, last_no_log_audit)

• What it is: Independent audits of “no-logs VPNs” claims.
• Why it matters: Turns marketing into evidence. Audits lose value as they age; recent ones inspire more trust.

RAM-only servers (offers_ram_only)

• What it is: RAM-only servers boot from read-only images and keep all state in volatile memory.
• Why it matters: Ensures data is wiped on reboot and minimizes forensic residue.

Protocol support (supports_wireguard, supports_openvpn)

• WireGuard: Modern and lean (WireGuard), generally faster with simpler code.
• OpenVPN: Mature and vetted (OpenVPN), with broad compatibility and reliability in restrictive networks.

Kill switch (kill_switch)

• What it is: A failsafe that blocks traffic if the tunnel drops.
• Why it matters: Prevents sudden IP/DNS leaks during disconnections.

DNS leak protection (dns_leak_protection)

• What it is: Ensures DNS lookups happen only over the VPN.
• Why it matters: Stops ISPs and third parties from seeing browsing activity.
• Extra credit: Hardened resolvers, DNSSEC, DoH/DoT, or configurable DNS options.

IPv6 leak protection (ipv6_leak_protection)

• What it is: Properly tunnels or safely disables IPv6 traffic.
• Why it matters: Prevents leaks through unmanaged IPv6 paths.

Multi-hop (multi_hop)

• What it is: Routes traffic through two or more VPN servers.
• Why it matters: Adds path separation, making exit-node correlation harder.

Split tunneling (split_tunneling)

• What it is: Lets users choose which apps or sites go through the VPN.
• Why it matters: Useful for streaming and LAN access, but can create deanonymization risks if misused.

Open-source apps (open_source_apps)

• What it is: Client apps with published source code—see the advantages of open-source VPNs and why “open source vs. obscurity” matters.
• Why it matters: Community scrutiny improves trust and accountability.

Trackers (tracker_count)

• What it is: Analytics or advertising SDKs embedded in apps.
• Why it matters: A VPN should shrink your footprint, not add to it. Trackers undermine privacy.

History of privacy/security scandals (privacy_scandal)

• What it is: Past incidents like hidden logging, unsafe marketing, or data exposure.
• Why it matters: Past behavior predicts future risk. Transparent remediation is critical.

Ownership risk (shady_parent)

• What it is: Opaque or problematic parent companies, including data-brokers or conglomerates with poor records.
• Why it matters: Corporate incentives drive operational trustworthiness.

Proven no-logs (proven_no_logs_in_court)

• What it is: Legal cases or police seizures where no logs were available.
• Why it matters: Strong, real-world evidence that claims match reality.

Common Pitfalls

• Audit ≠ guarantee: Scope may exclude infrastructure or apps.
• “RAM-only” claims: Check for implementation details (e.g. reproducible builds, auto-provisioning).
• A proxy is not a VPN: See VPNs vs proxies.
• Jurisdiction vs operations: Strong laws can be undermined by bad ops—and vice versa. Scores weigh both.

Methodology: See how we test.