Security & Verification

How VPN9's reproducible builds ensure your security

🔒 Our Security Commitment

VPN9 is the first VPN provider to offer fully reproducible server builds with runtime attestation. This means you can verify that our servers are running exactly the code we claim, with no hidden modifications or backdoors.

Key Principle:

You don't need to trust us - you can verify everything yourself.

✅ What You Can Verify

  • Source Code - All server code is open source on GitHub
  • Build Process - Reproducible builds mean identical binaries from source
  • Runtime State - Live attestation of what's actually running
  • No Modifications - Verify no files have been changed post-deployment

🛠️ Verification Methods

1. Quick Web Verification

Visit our verification dashboard for instant checks:

Open Verification Dashboard

2. API Verification

curl https://vpn9.com/api/v1/attestation | jq .
curl https://vpn9.com/api/v1/attestation/verify | jq .

3. Manual Build Verification

# Clone and build
git clone https://github.com/vpn9labs/vpn9-portal.git
cd vpn9-portal
./scripts/reproducible-build.sh

# Verify against production
./scripts/verify-build.sh production

🏗️ Build Reproducibility

Our builds are deterministic, meaning the same source code always produces bit-for-bit identical binaries. This is achieved through:

  • Fixed timestamps (SOURCE_DATE_EPOCH)
  • Pinned dependencies with checksums
  • Deterministic build environments
  • Cryptographic verification at each step

Anyone can rebuild our software and verify it matches what's running in production.

📋 Software Bill of Materials (SBOM)

Every build includes a complete SBOM listing all components and dependencies:

  • All Ruby gems with exact versions
  • System packages and libraries
  • Node.js dependencies
  • Base image components

Download SBOMs from our GitHub releases .

🔐 Cryptographic Guarantees

SHA256 Checksums

All artifacts include SHA256 checksums for integrity verification

SLSA Attestations

Supply chain security with SLSA provenance

Signed Releases

Cryptographically signed builds when configured

Runtime Signatures

Live attestations signed by production servers

🐛 Security Bug Bounty

Found a security issue? We offer rewards for responsible disclosure:

  • Build reproducibility failures
  • Attestation bypass vulnerabilities
  • Supply chain security issues
  • Any security vulnerabilities

Report to: [email protected]

📚 Learn More

→ View Transparency Log → Reproducible Builds Documentation → Runtime Verification Guide → Source Code on GitHub