Surfshark No-Log Audit Report Insights and Analysis

Updated On -

All information on this site is harmless and purely for educational purposes, which is why we post only authentic, unbiased information! The affiliate links are really there for discounts for our readers and for us to earn small commissions that help us stay afloat! Thanks! read more

For some time, VPNs had to deliver their services on a promise-like basis. It is sometimes hard to back up the zero-logs privacy claims because there is a pressure from not only government agencies but also surveillance centers for tighter netizens’ control. There are several adverse incidents which take place in the past which advertise the VPN service in a wrong manner.

But, over the past few years, a new practice of independent auditing has emerged. It has proved to be an effective way for various VPN service providers to test their security features and provide exceptional service to the users of what they had just promised. 

Different VPN providers, like ExpressVPN, NordVPN, PureVPN, and VyprVPN, were able to defend their statements with reliable facts and verification proofs by top auditing companies around the globe.

Let’s drive in to see how SurfShark VPN moved in the line of such practice. Who did the service audit? And what was concluded from the inspection? So, just read on.

Surfshark Audit Report:

Surfshark VPN has become one of the most popular privacy tools in the market. When it came out earlier during the year 2018, the majority of the users had a good feeling about this service. It was evident that the people behind it knew what they were doing.

The VPN service provider came out with no simultaneous connection limit as well as a full-fledged no-log policy. It doesn’t mean ‘’no activity logs’’ or some other marketing phrase, but zero logs. With time, SurfShark VPN expands in network size, number of supported platforms, and increased feature list.

In late 2018, the company took another step in Surfshark’s evolution as it published the result of an independent audit. The audit report successfully claim it a no-log VPN provider and was crowned as the best VPN newcomer of 2019.

In the entire audit process, the VPN gave both Chrome and Firefox browser extensions with the source code to Cure53 for in-depth analysis. The report states that the foremost aim of the project was to attain an external view of how well the VPN browser extension handles the security and privacy of the users. 

After the audit was done so, it concluded that whatever promises were made to users regarding protecting against DNS and IP leaks were kept. Both a code audit and a penetration test were done to verify the no-log claim.

Why choose Cure53?

SurfShark, for its first independent audit, chooses a German cybersecurity company, Cure53. It is a respected and reliable firm in the security sphere, which is known for the integrity of its analysis along with one or two scandals it uncovered in the past. Its team was behind the shutdown of a parental control app distributed by the South Korean government.

Although the VPN industry is full of bold and boastful statements regarding anonymity, security, and privacy, however, independent audits are infrequent. When TunnelBear VPN completed its review in 2017, it was also performed by Cure53. Of its significant experience and value in the market, SurfShark decided to choose Cure53 as its auditors.

What did the report say?

It is quite understandable and clear why independent audits and public reports of such inspections are rare. Their subjects have a bit less to gain but a lot to lose. In an industry that is built on promises of utmost privacy and security, reports of security holes are best avoided. But that’s where the hypocrisy rises- after all, preventing bugs, exploits, and leaks is much easier if you submit your service to such audit companies. 

To fortify and reinforce the reliability of the results, Cure53 testers hired the so-called white-box methods while they were assessing the VPN. They do so to reach the right level of coverage, which clear all doubts and questions of the targeted audience. 

The members of the Cure53 team conclude that the tested applications have an extremely robust impression and are not exposed to any issues. It implies to both privacy and general security jurisdictions.

The report also included the findings of Chrome and Firefox extensions. According to the results, both extensions stand out in relation of being rare for VPN browser extension products that suffer from different issues.

The Cure53 audit team worked for five days and found just two vulnerabilities. One they marked as ‘Low impact’, which was not related to the browser extension and another was of a more general flaw. The team addressed the issue to ensure a bullet-proof service by all means.

The auditors were extremely satisfied to see a robust security posture on the SurfShark VPN extensions, especially given the shared vulnerability of similar products to privacy issues.

Findings and Insights:

The findings of the audit report reveal two vulnerabilities identified by Cure53. One is the service invitation emails which uses an unencrypted HTTP link. Well! It is not a severe issue as it may allow an attacker who can spy on the connection of the user. 

However, the second issue is that the code has a line that configures the proxy to use an unencrypted HTTP connection. Although it sounds worrying, it is impossible for the necessary condition to occur.


To sum up all, the ambitious and primary VPN providers one after the other, are checking their services for potential vulnerabilities. These audits look an effective way to back up and defend the security and privacy claims these companies make on their website. 

Many VPN providers who promise top-notch privacy in their policies fail to keep their promise which results in keeping users’ logs. However, the audit strategy is now becoming the new customer standard for picking up the best VPN service provider.