Skip to content
Grab Black Friday deal here
Log in
Get Surfshark

Surfshark bounty terms and conditions

GENERAL

The participation in the Surfshark Bug Bounty Program ("Program") is governed by the Surfshark Bounty Terms and Conditions ("Terms"). These Terms establish an agreement between you and Surfshark B.V. ("Surfshark," "Us," or "We").

Upon submitting any bugs to Surfshark or engaging in the Program in any capacity, you acknowledge and agree to abide by these Terms. IF YOU DO NOT AGREE TO THESE TERMS, PLEASE DO NOT SEND US ANY SUBMISSIONS OR OTHERWISE PARTICIPATE IN THIS PROGRAM.

These Terms are subject to change, and We retain the right to make modifications at any time. By continuing your participation in the Program following the implementation of such changes, you indicate your acceptance of the updated Terms. If you do not agree with the revised Terms, you refrain from participating in the Program.

Should you wish to opt-out of the Program and exclude yourself from Bounty consideration, kindly reach out to Us at security@surfshark.com. It is important to note that opting out will not impact any licenses granted to Surfshark for the Submissions you have provided.

OVERVIEW

Surfshark team collaborates with the security community to proactively identify vulnerabilities, enhancing the safety of our businesses and customers. Through the Program, users have the opportunity to report vulnerabilities and exploitation techniques ("Vulnerabilities") associated with eligible Surfshark products and services ("Products"). Participants stand a chance to earn rewards, the amount of which is determined solely at Surfshark's discretion ("Bounty"). Decisions made by Surfshark regarding Bounty allocations are conclusive and final. It is important to note that Surfshark reserves the right to modify or terminate this Program at its discretion, and such decisions may be implemented at any time and for any reason.

SAFE HARBOR

In support of research and responsible disclosure, any activities conducted in a manner consistent with these Terms will be considered authorized conduct, and we will not initiate legal action against you.

It is important to note that for third-party involvement, We cannot bind them, and they may pursue legal action. We do not authorize security research on behalf of other entities and cannot protect you from third-party actions.

Compliance with applicable laws and Program guidelines is expected. Before engaging in conduct potentially inconsistent with Our Terms, contact Us. We reserve the right to determine the nature of violations, with proactive communication influencing Our decision.

When reporting through Our Bounty Program, We share non-identifying details with affected third parties only after notifying you and obtaining their commitment not to take legal action. Your identifying information will not be shared without your written consent. Out-of-scope testing for third parties is not authorized, and we do not guarantee protection from third-party actions. If legal action arises due to Bounty participation and compliance with our Terms, We will aim to affirm your adherence, though court orders may compel Us to share information.

PARTICIPATION ELIGIBILITY

To be eligible to participate in the Program, you must meet the following criteria:

  • You must be 18 years of age or older.
  • You should either be an individual researcher acting in your personal capacity or an employee of an organization that permits your participation. Review and adhere to your employer's regulations concerning involvement in the Program.
  • Note for Public Sector Employees: It is the sole responsibility of public sector employees (government and education) to obtain explicit permission from their respective institutions, confirming their eligibility to participate in the Program and receive any associated Bounty directly. Such approval should be documented through a gift letter signed by the organization's ethics officer, attorney, or designated executive/officer overseeing gifts/ethics policy. Surfshark emphasizes that compliance with participants' relevant gifts and ethics regulations is crucial. The company disclaims any liability arising from violations of this clause.

You are not eligible to participate in the Program if you meet any of the following criteria:

  • You are a resident of countries under U.S. or EU sanctions or any other nation prohibiting participation in such programs.
  • You are under the age of 18.
  • Your organization does not permit participation in these types of programs.
  • You are a public sector employee (government and education) without permission from your ethics compliance officer.
  • You are currently an employee of Surfshark or any affiliated Surfshark entity, or an employee of the affiliated group entity, or an immediate family or household member of such an employee.
  • Within the 24 months before providing your Submission, you were an employee of Surfshark or any affiliated Surfshark entity, or of the affiliated group entity.
  • You currently (or within 24 months before providing your Submission) perform contractual services for Surfshark or any affiliated Surfshark entity in an external staff capacity requiring access to the internal security or other internal systems.

It is your responsibility to comply with your employer's policies that may affect your eligibility. Participation in violation of your employer’s policies may lead to disqualification. All payments will adhere to local laws, regulations, and ethics rules. Surfshark disclaims any liability for disputes between an employee and their employer arising from this matter.

There may be additional restrictions on your ability to enter depending on your local laws.

GRANT OF LICENSE AND OTHER INFORMATION

By submitting any material to Surfshark, you:

Grant Surfshark a non-exclusive, irrevocable, perpetual, royalty-free, worldwide, and sub-licensable license to the intellectual property in your Submission, including the rights to:

  • Use, review, assess, test, and analyze your Submission.
  • Reproduce, modify, distribute, publicly display and perform, commercialize, and create derivative works of your Submission and its content, whether in whole or in part.

Also, you

  • Agree to sign any necessary documentation required for Surfshark or its designees to confirm the rights granted above.
  • Acknowledge that Surfshark may have developed or commissioned materials similar or identical to your Submission and waive any claims arising from similarities.
  • Understand that no guaranteed compensation or credit is ensured for the use of your Submission.
  • Represent and warrant that your Submission is your original work, free from the use of information owned by another person or entity, and that you possess the legal right to provide the Submission to Surfshark.

CONFIDENTIALITY AND DISCLOSURE RESTRICTIONS

During the participation in the Program process, We insist on maintaining the confidentiality of Bounty Submissions, prohibiting their disclosure to third parties or inclusion in paper reviews or conference submissions. Once a Vulnerability is resolved, you may share high-level descriptions of your research and non-reversible demonstrations.

However, detailed proof-of-concept exploit code and information that could facilitate attacks on customers must be withheld for 30 days post-resolution. Surfshark will notify you upon fixing the Vulnerability, and it is important to note that payment may occur before the fix is released, but receipt of payment should not be construed as confirmation of the fix's completion.

Violations of this section may necessitate the return of any bounties paid for that Vulnerability and could disqualify you from participating in the program in the future.

REWARD PAYMENT

Bounties are awarded following Our meticulous triage process. The size of the reward is determined on a case-by-case basis, considering factors such as severity, business impact, and the creativity involved in identifying the issue. We reserve the exclusive right to decide the reward size based on these considerations. Decisions made by Surfshark regarding Bounty reward are final and binding.

If your Submission is deemed eligible for a Bounty under these Terms, We will inform you of the Bounty amount and provide the necessary paperwork for payment processing. You have the option to waive the payment if you choose not to receive the Bounty.

In the event of a dispute regarding the qualified submitter, we will consider the eligible submitter to be the authorized account holder of the email address used to enter the Program.

You cannot designate someone else as the Bounty recipient unless you are considered a minor in your place of residence.
If you decline or are unable to accept the Bounty, We reserve the right to rescind it.
If you accept a Bounty, you are solely responsible for all applicable taxes related to the received payment(s).

NO WARRANTIES

SURFSHARK, AND OUR AFFILIATES, RESELLERS, DISTRIBUTORS, AND VENDORS, MAKE NO WARRANTIES, EXPRESS OR IMPLIED, GUARANTEES OR CONDITIONS WITH RESPECT TO THE PROGRAM. YOU UNDERSTAND THAT YOUR PARTICIPATION IN THE PROGRAM IS AT YOUR OWN RISK. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAW, WE EXCLUDE ANY IMPLIED WARRANTIES IN CONNECTION WITH THE PROGRAM. YOU MAY HAVE CERTAIN RIGHTS UNDER YOUR LOCAL LAW. NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS, IF THEY ARE APPLICABLE.

LIMITATION OF LIABILITY

If you have any grounds for seeking damages related to the Program (including breaches of these Terms), you acknowledge that your exclusive remedy is limited to recovering direct damages, up to a maximum of $100.00, from Surfshark or any affiliates, resellers, distributors, third-party providers, and vendors. You are not entitled to recover any other damages or losses, including direct, consequential, lost profits, special, indirect, incidental, or punitive damages.

These limitations and exclusions are applicable even if the provided remedy fails to fully compensate you for any losses or if it does not fulfill its essential purpose, or if we were aware or should have been aware of the possibility of damages. To the fullest extent permitted by law, these limitations and exclusions extend to all matters and claims related to these Terms and the Program.

GOVERNING LAW

These Terms shall be governed by the laws of the Netherlands without reference to conflict of laws principles.

UNSOLIDATED IDEAS

Apart from your Submission, Surfshark does not entertain or welcome unsolicited proposals or ideas. This includes, but is not limited to, ideas for new products, technologies, promotions, product names, product feedback, and product improvements ("Unsolicited Feedback"). If you transmit any Unsolicited Feedback to Surfshark through the Program or any other means, Surfshark provides no guarantee that your ideas will be treated as confidential or proprietary.