Improve language in 2020 app audit document

1 files changed, 39 insertions, 31 deletions

diff --git a/audits/2020-06-12-cure53.md b/audits/2020-06-12-cure53.md
index 82ca5fc3f6..51c9e1920b 100644
--- a/audits/2020-06-12-cure53.md
+++ b/audits/2020-06-12-cure53.md
@@ -64,12 +64,14 @@ vulnerabilies fixed ([ios/2020.3] for iOS).
 
 * __MUL-02-002 WP2__: Firewall allows deanonymization by eavesdropper (Medium)
 
-  _Our comment_: This is a legitimate and fully possible deanonymization attack. However, it is
-  not trivial to execute, so Cure53 classify it as medium only. This vulnerability is not
-  an issue for any normal user. But as the report outlines in the conclusion chapter, a
-  "state-funded and persistent threat" could very well use it to identify users. Since Mullvad
-  care deeply about anonymity and our users with high threat models, we regard this finding
-  as a rather serious one. But not critical enough to justify rushing out a stable release
+  _Our comment_: This is a legitimate and fully possible deanonymization attack. However, as it is
+  not trivial to execute, Cure53 classifies it as *Medium* only. This vulnerability is not
+  an issue for any normal user. But as outlined in the report's conclusion, a
+  "state-funded and persistent threat" could very well use it to identify users. Since
+  anonymity for our users, including those with high threat models, is paramount to us, we regard
+  this finding as a rather serious one. But not critical enough to justify rushing out a stable
+  release.
+
   This issue is fixed in all desktop apps in the following PRs:
   * [Windows PR #1827](https://github.com/mullvad/mullvadvpn-app/pull/1827)
   * [Linux PR #1819](https://github.com/mullvad/mullvadvpn-app/pull/1819)
@@ -77,25 +79,27 @@ vulnerabilies fixed ([ios/2020.3] for iOS).
 
 * __MUL-02-006 WP1__: Blind HTML Injection via Problem Report (Low)
 
-  _Our comment_: This finding does not put any Mullvad user or Mullvad itself in any risk.
-  The problem reports are handled as plaintext and not HTML all the way from the app to the
-  support team. The pingback observed in the report comes from Google's gmail servers
-  who simply seem to query any URL they can parse in email bodies passing through their servers.
-  As such, we do not agree with the classification as a HTML injection issue.
-  There is probably no way Mullvad can disable this, and even if it was exploitable it would be
+  _Our comment_: This finding does not put any user or the service itself at risk.
+  The problem reports are handled as plaintext and not HTML, all the way from the app to the
+  support team. The pingback observed in the report comes from Google's Gmail servers
+  which simply seem to query any URL they can parse in email bodies passing through their servers.
+  As such, we do not agree with the classification as an HTML injection issue.
+  There is likely no way for us to disable this, and even if it was exploitable, it would be
   Google that would be compromised and not Mullvad.
 
 * __MUL-02-007 WP2__: Named Pipe exposed via SMB accessible to everyone (Medium)
 
-  _Our comment_: This vulnerability allows controlling the Mullvad VPN on a Windows machine
+  _Our comment_: This vulnerability allows for controlling Mullvad VPN on a Windows machine
   from the network. However, it requires the user to both enable "Local network sharing" in
-  the app and disable Window's "password protected sharing". Neither of this is done by default,
-  and Mullvad would not recommend anyone who care about their security or privacy to ever disable
-  "password protected sharing" at all. We do not see this as a large security flaw, since the user
+  the app and disable Windows' "password protected sharing", neither of which is done by default.
+  Mullvad would not recommend anyone who care about their security or privacy to ever disable
+  "password protected sharing" at all.
+
+  We do not see this as a large security flaw since the user
   must explicitly turn off important security settings for this to be exploitable to begin with.
-  However, since the VPN is only supposed to be possible to control from the local computer,
-  and since the report presents an easy to implement fix for the issue, we have implemented the
-  proposed fix in [PR #1830](https://github.com/mullvad/mullvadvpn-app/pull/1830).
+  However, since the VPN is only supposed to be possible to control from the local computer
+  and since the report presents an easy fix for the issue, we have addressed this in
+  [PR #1830](https://github.com/mullvad/mullvadvpn-app/pull/1830).
 
 ### Miscellaneous issues
 
@@ -104,32 +108,36 @@ vulnerabilies fixed ([ios/2020.3] for iOS).
   _Our comment_: The app does not in any way need the cache file that was found. So we directly
   implemented the suggested fix to get rid of it in
   [PR #1808](https://github.com/mullvad/mullvadvpn-app/pull/1808).
-  Since the exposed data is not very sensitive,
-  and since getting the data out of the device is far from trivial, we agree this is *info*
-  level and not a serious leak in any way.
+  Since the exposed data is not very sensitive and getting the data out of the device is far
+  from trivial, we agree with the auditors that this is not a serious leak.
 
 * __MUL-02-003 WP1__: General hardening recommendations for Android app (Info)
 
-  _Our comment_: These are good recommendations from Cure53. It is indeed not a vulnerability
-  in any way, but to practice defense-in-depth better we implemented the recommendations in
+  _Our comment_: These are good recommendations from Cure53 and we have implemented them
+  in order to better practice defense-in-depth in
   [PR #1823](https://github.com/mullvad/mullvadvpn-app/pull/1823) and
   [PR #1822](https://github.com/mullvad/mullvadvpn-app/pull/1822).
 
 * __MUL-02-004 WP2__: Firewall allows TCP connections to WireGuard gateway (Low)
 
-  _Our comment_: This vulnerability is very similar to __MUL-02-002__. But less dangerous
-  since no custom token can be sent out, which makes it harder to identify a specific
+  _Our comment_: This vulnerability is very similar to __MUL-02-002__ but is less dangerous
+  since no custom token can be sent out, making it harder to identify a specific
   user. This issue was fixed for Windows in the same PR where __MUL-02-002__ was fixed.
 
 * __MUL-02-005 WP1__: VpnService logs static internal IPs to Android’s syslog (Info)
 
-  _Our comment_: Leaking the private tunnel IP in use is considered bad but not critical
-  in any way. We agree with the *info* level on this security finding since the attacker
+  _Our comment_: Leaking the private tunnel IP in use is considered bad but not critical.
+  We agree with the classification level of *Info* on this security finding since the attacker
   needs either `adb` access or the phone to be rooted. There is no way Mullvad can fix
   this potential information leak. The logging of the IP is done by the Android operating
-  system as soon as any VPN app uses the operating system's VPN API. As far as we can tell
-  there is no way to disable this, and all Android VPN apps are subject to the same type
-  of leak.
+  system as soon as any VPN app uses the system's VPN API. and as far as we can tell,
+  there is no way to disable this nor for us to fix this potential information leak.
+  All, and all Android VPN apps are subject to the same type of leak.
+
+## Last words
+
+We wish to thank Cure53 not only for their work but also for a smooth collaboration through
+the entire process!
 
 [2020.4]: ../CHANGELOG.md#20204---2020-05-12
 [2020.5-beta1]: ../CHANGELOG.md#20205-beta1---2020-05-18