Surfshark Dausos Audit Findings Show No Critical Vulnerabilities in Protocol
Published
Key Takeaways
- Surfshark Dausos audit findings: Cure53 audit found no critical or high severity vulnerabilities within Dausos protocol scope
- Out-of-scope risks identified: High severity issues found in external infrastructure, not within Dausos protocol evaluation scope
- Recommendations and future validation: Cure53 recommends formal specification, threat model, and further audits to ensure long-term protocol resilience
Surfshark has announced the results of an independent security assessment of its proprietary Dausos VPN protocol, with auditors reporting no Critical or High severity vulnerabilities within the protocol itself.
The audit was conducted by Cure53, which performed a white-box penetration test and source code review focused on the protocol’s architecture, cryptographic design, and session management. The assessment took place in February and March 2026 and covered multiple components, including control and data channels, key exchange mechanisms, and forward secrecy implementation.
Audit Scope and Findings
According to the published summary, the evaluation identified a total of ten findings. Seven were classified as security vulnerabilities, while three were categorized as miscellaneous issues or best-practice recommendations.
Of these, eight findings were within the scope of the Dausos protocol and were rated Medium severity or lower. The report noted that no Critical or High severity issues were discovered in the protocol itself.
However, the auditors also identified higher-severity vulnerabilities in external hosting infrastructure. These were classified as out-of-scope (OOS) for the protocol-focused assessment and were therefore not included in the core evaluation of Dausos.
The report further stated that most of the identified issues were addressed by Surfshark following the testing phase and subsequently verified by the auditors.
Focus on Cryptography and Architecture
The audit represents the first time Surfshark has undergone a review specifically centered on the architecture and cryptographic components of the Dausos protocol.
Cure53 highlighted the protocol’s use of a hybrid cryptographic approach combining classical and post-quantum techniques. This includes key exchange mechanisms based on both elliptic-curve Diffie–Hellman and post-quantum key encapsulation methods, along with hybrid authentication that incorporates traditional certificates and post-quantum signatures.
The resulting shared key is used with AEGIS-based encryption in the data channel to secure communication between client and server.
Recommendations and Next Steps
Despite the absence of high-severity findings within the protocol, Cure53 recommended that Surfshark develop a formal protocol specification and a comprehensive threat model to support long-term security and clarity. The firm also suggested a follow-up assessment to further validate the design.
Context and Availability
Dausos is a recently introduced VPN protocol developed by Surfshark, positioned as an alternative to established options such as WireGuard and OpenVPN. The company has emphasized performance improvements and post-quantum resilience as key features.
As of now, the protocol is available through Surfshark’s macOS application, with broader platform support expected in the future.
While independent audits are a standard step in validating new technologies, broader adoption and continued evaluation will likely play a role in determining the protocol’s long-term performance and security profile.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular