This tentative roadmap is built by the GlobaLeaks team in order to try to respond to main users’ needs. Please get sure that the needs of your projects and users are well represented on the project Ticketing System. If your organization could fund the development of parts of this roadmap please write us at email@example.com
GlobaLeaks is free, open source software enabling anyone to easily set up and maintain a secure whistleblowing platform.
Started in 2011, the software is now widely used worldwide by more than 3000 organizations working in the fields of anti-corruption activism, human rights violations reporting, investigative journalism, and corporate compliance.
This document details the main areas of research development and represents the actual tentative readmap of consolidation planned for 2023-2025 based on the analysis of the large set of user needs collected within the official Ticketing System.
Application Client Update¶
GlobaLeaks client is still based on Angular 1 and on other stable but outdated components. Considering the maturity of the technology and of the libraries adopted, this does not currently represent any security risk but as the time passes by, it significatively impacts the possibility of growth of the application, especially in relation to the set of planned project extensions.
Within this project idea we propose to rewrite the current application client pursuing the following set of goals:
Bump of the core client library from AngularJS to Angular;
Bump of Bootstrap library from Bootstrap 4 to Bootstrap 5;
General optimization and modularization of the client
Statistics and Reporting¶
GlobaLeaks still misses the implementation for any generation of statistics and reports. Such features are considered fundamental in order to properly support users in analysis, investigation and reporting.
Recipients should be able to visually see statistics about the received reports received and the data contained; these statistics should empower users in their work providing relevant information out of the data collection that could help users analyze and study social problems like corruption and be able to organize and export automatic reporting;
Administrators should be able to visually see a dashboard in order to monitor the system and assure that all is working well (e.g. that recipients are receiving submissions and are able to access them and that no attacks are performed on the system).
A client library could be adopted to generate reports directly on the client (e.g. Chart.js)
The implementation should support the possibility of exporting the report in PDF; in relation to this aspect it should be considered the advantages of a possible backend implementation.
GlobaLeaks still misses the implementation of a complete audit logit. This is considered a fundamental feature in order to achieve full accontability of the whistleblowing process and increase security.
Software audit log should be improved
The software could exposes a standard log interfaces in CEF/LEEF/Syslog format to foster integration with third party SIEM software.
GlobaLeaks implements by-design many best practices in matters of privacy and security. In order to be effectively accepted and competitive beside commercial proprietary solutions and to guarantee the sustainability of the project, the software needs to achieve some market “standards” (e.g. GDPR compliance / ISO certifications / etc.); among all we selected that GDPR compliance is a first step where the software could implement best practices (e.g. procedures for self signup should present appropriate legal notices, terms of services, and contractualization). Within the software, there should be implemented an automatic contract generation via PDF or other suitable formats in respect with the GDPR requirements.
Backup and Restore¶
GlobaLeaks currently misses any feature for performing backup and restoring of its setup. These duties are currently performed by its users following typical best manual practices (e.g. archiving the data directory of the application). This project idea is to research the best practices to be applied in this context and to identify suitable strategies for implementing periodic, secure and encrypted backups to be restored upon necessity.
Import and Export of Tenants¶
Part of the software is a recent feature of Multitenancy, first implemented in 2018 and stabilized during 2019. Through this feature, GlobaLeaks makes it possible to create multiple setups of itself via virtual sites (similarly to Wordpress multisite feature). In order to make it more easy for an administrator to migrate a platform form a system to an other or to enable users to require data portability from a globaleaks provider to an other, for example in relation to GDPR it has been evaluated necessary to improve the multi tenancy implementation by implementing support for import-export of tenants. In the context of a whistleblowing application, involving encryption and logging this poses important challenges on how to best handle this process.
(To be further researched)
Important requirement at the base of the Multitenancy expansion is the possibility to enable users to be administrators and recipients of two or multiple instances running on the same multi-site setup. This is useful for example when a lawyer takes part as a recipient on multiple projects; as well it is useful when an ICT consultant joins consultancy on multiple projects.
This could significatively simplify user access enabling the user to have a single set of username and password and associated keys.