The audit has been carried out by the acknowledged German security company Cure53
Privacy protection software company Surfshark has become one of the very few virtual private network (VPN) service providers who had completed an independent security audit. The security assessment concluded that the tested applications are not exposed to any issues, neither in the privacy nor in the more general security realms.
The investigation encompassed a penetration test as well as a code audit, throughout which Cure53 testers employed a white-box methodology. Despite extensive efforts of the investigating team, the test yielded only two issues, of which only one is an actual vulnerability and not even related to the browser extension itself, and the other one a general weakness.
"The findings stand out with relation to being very rare for the VPN browser extension products, which commonly suffer from various issues," says Mario Heiderich, Doctor of Engineering at Cure53. "As the extremely low number of findings and their limited implications clearly indicate, the results of this assessment of the Surfshark extensions position the product in a very good light."
Both found minor issues have already been resolved by Surfshark, making its extensions bullet-proof both privacy and security-wise.
"Currently, browser extensions are the most popular apps to stay private while surfing the web, that is why we started with them. We have carried out an external security audit to prove our commitment to transparency and deliver on a promise of diamond-strong protection," explains Magnus Steinberg, Chief Technology Officer at Surfshark.
He adds that external audits should become a staple in the VPN industry for two main reasons. Firstly, they give essential feedback which helps developers and engineers to improve services. Secondly, audits provide credibility in the eyes of the customer by validating marketing claims.
There is only a handful of VPN providers who have audited by professional investigators.
"The situation of the whole VPN market is worrying, since close to none VPN providers can truly substantiate on claims of full privacy and security. Having an external audit is one of the very few ways to prove your claims", says Magnus Steinberg.
A full audit report can be found here.