The report, despite the premises and scrutiny of the Cure53 testers, reads that the findings of our Chrome and Firefox extensions stand out as being extremely rare for the VPN browser extensions.

Download the report (.pdf): Pentest-Report Surfshark VPN Extension 11.2018

What the Report Said

To strengthen the reliability of the results, Cure53 testers employed the so-called white-box methods during the assessment, therefore reached a good level of coverage.

“Two members of the Cure53 team, who examined the scope in November 2018, can only conclude that the tested applications make a very robust impression and are not exposed to any issues, neither in the privacy nor in the more general security realms.”, the report concludes.

It also adds that the findings of our Chrome and Firefox extensions stand out with the relation “to being very rare for the VPN browser extension products, which commonly suffer from various issues.”     

Despite the “extremely low number of findings,” it’s important to add, the report yielded two vulnerabilities rated with “low” severity. However, to quote Cure53, “only one is an actual vulnerability and not even related to the browser extension itself, and the other one a general weakness.” Our teams have already addressed the issues to guarantee a bullet-proof service by all means.

“To sum up, Cure53 is highly satisfied to see such a strong security posture on the Surfshark VPN extensions, especially given the common vulnerability of similar products to privacy issues”, reads the report.

Download the report (.pdf): Pentest-Report Surfshark VPN Extension 11.2018

Why VPN Audits Matter

In recent years the VPN industry has been shaken by various scandals which grew customers’ distrust of the services. Popular VPN providers who claimed to be security and privacy orientated turned out to be selling just another lies nailed to the counter.

Just to name a few examples. Last summer IPVanish embroiled into a logging scandal whereby they provided user logs to the authorities. In 2017 it was revealed that PureVPN helped the FBI to catch an alleged cyberstalker by handing over his logs. Even though before they had always marketed their service as ‘no logs VPN.’

Audits are essential for two main reasons. First, independent cybersecurity experts analyze codes and discover vulnerabilities. They give important feedback which helps developers and engineers to improve their services.

Second, to be a credible VPN, it’s necessary to provide as many proofs as possible. Customers are often not aware of what goes on under the hood of a VPN service – it requires both technical and legal knowledge. Audits inform the public about the general state of the service, minus possible marketing clichés.

Thus, we decided to complete our first 3rd party audit and approached Cure53 to test our Chrome and Firefox extensions. Why them? Cure53 is an industry-leading web security service provider, dedicating their efforts to testing various online services.

Of course, we paid for the audit. Cure53 has some of the best security experts working on their teams, we couldn’t expect two members of the Cure53 to spend five days working for free.

Having said that, we’re satisfied with the results and committed to continuing going even further to delivering what we promise – a robust privacy and security service with your experience being our highest priority.

Surfshark team would like to thank Cure53 for their investigation and pleasant collaboration.

Have further questions? Don’t hesitate to drop us a line in the comment section below or contact our Head of Communications Paavo Aalto, [email protected]

Get Surfshark for $1.99/mo

30-day money-back guarantee with every plan

Buy NOW