A penetration test is not an audit and does not provide any such assurance that logs are not retained. The goal of a penetration test is to penetrate via vulnerabilities and misconfigurations, not validate public logging claims about a service
The audit covered every public-facing component of Mullvad’s online presence, including the website, the Tor-only Onion service, the rsync setup, and the internal content management system (CMS). Each of these elements was examined for common attack vectors, misconfigurations, or any signs of hidden data collection.
I believe checking the “internal content management system (CMS)” is what they are using to say there were no logs.
They linked a more detailed report in the article, but I didn’t look at it. It may contain something different than my takeaway from the article.
The content management interface for the Mullvad VPN web application is a Django ap-
plication that allows content administrators to manage the blog, help guides and similar
articles.
Doesn’t look like the CMS is anything to do with the VPN service itself.
A penetration test is not an audit and does not provide any such assurance that logs are not retained. The goal of a penetration test is to penetrate via vulnerabilities and misconfigurations, not validate public logging claims about a service
I believe checking the “internal content management system (CMS)” is what they are using to say there were no logs.
They linked a more detailed report in the article, but I didn’t look at it. It may contain something different than my takeaway from the article.
Doesn’t look like the CMS is anything to do with the VPN service itself.
Your belief is wrong. That is not what a penetration test does. They are looking at it from the outside.