Security Audits
GlobaLeaks undergoes independent security audits periodically to verify and enhance the security of the system. This page lists the most significant reports available.
We aim to have audits conducted at least every two years, thanks to funding opportunities. Each adopter is encouraged to contribute by funding a general or topic-specific audit based on their capabilities. This helps ensure that every algorithm, component, and methodology applied within the project is thoroughly verified.
If you have conducted or are considering sponsoring a security audit, please email us at info@globaleaks.org. This is especially important for general software security. When requesting a company to audit the software, always remember to ask if the report can be published afterward; many auditors may not agree to publish the report later, which has often led to wasted project resources.
If you are an independent security auditor or, during your peer review of GlobaLeaks, you discover or suspect a vulnerability, please do not file a public issue. Instead, send your report privately through our reporting form at https://github.com/globaleaks/whistleblowing-software/security/advisories/new or via email to security@globaleaks.org.
Date |
Auditor |
Goal |
Report |
---|---|---|---|
2013 |
Architecture Audit |
||
2013 |
Web Security Audit |
||
2014 |
Source Code Audit |
||
2018 |
Overall Audit |
||
2019 |
Crypto Audit, Multi-tenancy Audit, Overall Audit |
||
2022 |
Server Source Code Audit, Client Pentest, OpSec for Whistleblowers, OpSec for Server Administrators |
||
2024 |
Surface Analysis and Network Penetration Test |