Bug Bounty Program

The Surfshark Bug Bounty Program is governed by the legal terms and conditions outlined here and Privacy notice. Any capitalized words not defined here are explained in the Terms and Conditions. By participating in this Program, you agree to be fully bound by these Terms and Conditions.

While this is not a competition, it functions more as an experimental and discretionary rewards program. It is important to acknowledge that we reserve the right to cancel the program at any time, and the determination of whether to issue a reward is entirely at our discretion.

PROGRAM ELIGIBILITY

The official Surfshark Security Suite and consumer applications on various platforms are within scope:

  • Windows
  • Mac
  • iOS
  • Android
  • Browser extensions
  • Surfshark VPN servers
  • Surfshark API
  • Surfshark websites
  • Incogni websites
Windows: Microsoft Store
Surfshark
Domain
www.surfshark.com
Domain
my.surfshark.com
Domain
api.surfshark.com
Domain
surfshark.com/pricing
Domain
search.surfshark.com
Android: .apk
Other
Surfshark Chrome Extension
Other
Surfshark Firefox Extension
Other
Surfshark Edge Extension
Other
Surfshark VPN Application for Amazon Fire TV https://surfshark.com/download/amazon-fire-tv
Other
Desktop and Mobile apps
Android: Play Store
Executable
Surfshark – Windows Executable
https://surfshark.com/download/windows
Executable
Surfshark – macOS Executable
https://surfshark.com/download/macos
iOS: App Store
1391782046
Domain
incogni.com
Domain
api.incogni.com
Domain
blog.incogni.com

If you submit a Vulnerability for a product or service that is not covered by the Program at the time you submitted it, you will not be eligible to receive Bounty payments if the product or service is later added to the Program.

Scope exclusions

These are the scope exclusions that will not be rewarded in any way:

  • Vulnerabilities requiring physical access to the victim’s unlocked device, root/system privileges on, or MITM of a user’s device.
  • User enumeration attacks – the ability to determine if an email address or username is in use.
  • Attacks targeting outdated browsers or browsers other than Firefox, Chrome, Edge, or Safari.
  • Insecure cookie settings / flags on non-login cookies.
  • Weak SSL/TLS algorithms or protocols.
  • Lack of certificate pinning (improper certificate validation still eligible).
  • CSRF with no security impact (unauthenticated/logout/login CSRF).
  • Best practices violations (password complexity, expiration, re-use, etc.).
  • Clickjacking on pre-authenticated pages, or the non-existence of X-Frame-Options, or other non-exploitable clickjacking issues.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Reflected file download.
  • Content spoofing and text injection issues without being able to modify HTML/CSS.
  • Homograph links.
  • Mobile app crashes.
  • Bypassing rate-limits or the non-existence of rate-limits that have no platform impact.
  • Exposure of internal domains on public domains.
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.
  • Any other submissions determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction or resulting in minimal impact.
  • WordPress bugs (please report those to WordPress directly).
  • OpenVPN bugs (please report those to OpenVPN directly).
  • Out of date software
  • Anything related to credential stuffing and account takeover.
  • Spam or Social Engineering techniques.
  • Missing best practices, information disclosures, use of known-vulnerable libraries or descriptive / verbose / unique error pages (without substantive information indicating exploitability).
  • HTTP TRACE or OPTIONS methods enabled.
  • Reports related to the following security-related headers: o Strict Transport Security (HSTS) o XSS mitigation headers (X-Content-Type and X-XSS-Protection) o X-Content-Type-Options o Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario).
  • Self-XSS and issues exploitable only through Self-XSS.
  • Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags.
  • Bugs that do not represent any security risk.
  • Application or server error messages, stack traces.
  • Hardcoded API keys in applications (unless it constitutes a significant risk)
  • “Scanner output” or scanner-generated reports.
  • Publicly released bugs in internet software within 3 days of their disclosure.
  • Denial of service attack.

Requirements for Vulnerability Submission:

Automated Testing Prohibition

Automated testing is strictly prohibited to maintain the integrity of Our Bounty Program.

Testing Account Usage

When investigating bugs, utilize the provided testing accounts exclusively. Avoid interacting with other accounts unless explicit consent is obtained from their owners. This ensures a controlled environment for bug identification and resolution.

First Reporter Bounty

The initial reporter of a bug will be the sole recipient of the Vulnerability. While duplicate bugs are considered for additional insights, rewards are exclusively granted to the first reporter, encouraging swift and efficient reporting.

Respect for Final Decision

We request all participants to respect Our final decision regarding the bug and its associated Bounty. Our decisions are made after thorough evaluation and consideration of all relevant factors.

Communication Protocol

Please refrain from contacting the Surfshark support team regarding the status of a submitted report. Our Bounty Program has a designated process for handling submissions, and any inquiries may divert attention from the efficient resolution of identified issues.

SUBMISSION PROCESS

Should you believe you have identified a Vulnerability aligning with the specified requirements outlined in these Terms, you have the option to submit it to Us. This can be done by adhering to the following process:

Every Vulnerability submitted to Surfshark is considered a "Submission" Submissions should be directed to [email protected]. In the introductory email, clearly indicate the details of the Vulnerability, and specify the product version numbers used for validating your research. If specially crafted files are required, they should be submitted as attachments. Screenshots are encouraged while videos are discouraged, unless necessary. Submissions should not consist solely of a video. Additionally, include as much of the following information as possible:

  • Type of issue.
  • Product and version containing the bug, or the URL if related to an online service.
  • Any service packs, security updates, or other applied updates for the installed product.
  • Specify any special configuration necessary to replicate the issue.
  • Step-by-step instructions for reproducing the issue on a fresh install.
  • Include any proof-of-concept or exploit code.
  • Provide insights into the impact of the issue, detailing how an attacker could potentially exploit it.

Surfshark engineers will conduct a thorough review to validate its eligibility. We usually disclose reports within three (3) months after Submission is received or fixing time, however, the duration of the review process may vary based on the complexity and completeness of your Submission, as well as the volume of Submissions received.

Surfshark maintains sole discretion in determining the qualification of Submissions, adhering to the rules outlined in the Program Terms.

Surfshark bears no responsibility for Submissions that are not received for any reason. If you do not receive a confirmation email following your Submission, please contact Surfshark at [email protected] to verify that your Submission has been received.

ADDITIONAL REQUIREMENTS FOR PROGRAM PARTICIPANT

Participation in the Program necessitates adherence to the following rules:

  • Refrain from engaging in any illegal activities.
  • Avoid activities that exploit, harm, or pose threats to children.
  • Do not send spam, including unwanted or unsolicited bulk email, postings, contact requests, SMS (text messages), or instant messages.
  • Refrain from sharing inappropriate content or material involving nudity, bestiality, pornography, graphic violence, or criminal activity.
  • Abstain from engaging in false or misleading activities.
  • Do not partake in activities that are harmful to yourself, the Program, or others, such as transmitting viruses, stalking, posting terrorist content, communicating hate speech, or advocating violence.
  • Avoid infringing upon the rights of others, including unauthorized sharing of copyrighted material, and refrain from activities that violate the privacy of others.
  • Do not assist others in breaking these rules.

Violation of these terms may result in your prohibition from future Program participation, and any Submissions provided may be deemed ineligible for Bounty payments.