Security Audits

GlobaLeaks undergoes independent security audits periodically to verify and enhance the security of the system. This page lists the most significant reports available.

We aim to have audits conducted at least every two years, thanks to funding opportunities. Each adopter is encouraged to contribute by funding a general or topic-specific audit based on their capabilities. This helps ensure that every algorithm, component, and methodology applied within the project is thoroughly verified.

If you have conducted or are considering sponsoring a security audit, please email us at info@globaleaks.org. This is especially important for general software security. When requesting a company to audit the software, always remember to ask if the report can be published afterward; many auditors may not agree to publish the report later, which has often led to wasted project resources.

If you are an independent security auditor or, during your peer review of GlobaLeaks, you discover or suspect a vulnerability, please do not file a public issue. Instead, send your report privately through our reporting form at https://github.com/globaleaks/whistleblowing-software/security/advisories/new or via email to security@globaleaks.org.

Date

Auditor

Goal

Report

2013

iSecPartners

Architecture Audit

Report

2013

Cure53

Web Security Audit

Report

2014

LeastAuthority

Source Code Audit

Report

2018

SubGraph

Overall Audit

Report

2019

RadicallyOpenSecurity

Crypto Audit, Multi-tenancy Audit, Overall Audit

Report

2022

RadicallyOpenSecurity

Server Source Code Audit, Client Pentest, OpSec for Whistleblowers, OpSec for Server Administrators

Report

2024

ISGroup

Surface Analysis and Network Penetration Test

Report