GlobaLeaks is the first open-source secure submission framework. GlobaLeaks is free, open source software enabling anyone to easily set up and maintain a secure whistleblowing platform.
GlobaLeaks, the first open-source secure submission framework, was one of the first projects supported by OTF. Since its creation, GlobaLeaks has been challenged to implement a secure technology with maximum usability. The innovative software behind GlobaLeaks is set to become the standard for whistleblowing applications, upending a process that has been dominated by closed-source technologies. To help make this a reality, GlobaLeaks engaged OTF to perform safety and security audits of its platform.
Radically Open Security (ROS) conducted a penetration test GlobaLeaks source code from June – August 2022. ROS performed a combined audit of the GlobaLeaks source code and a pentest on https://try.globaleaks.org in order to find vulnerabilities in the platform. A major objective of this exercise was ensuring privacy and plausible deniability for whistleblowers, and to assess the security posture of the GlobaLeaks server and web frontend.
ROS discovered zero critical, zero high, ten elevated, eight moderate, and eight low-severity issues during the penetration test. All issues have since been addressed by GlobaLeaks.
When studying the GlobaLeaks source code, ROS found that a security-in-depth approach had been used, which contributed to the low severity of findings and number of non-findings reported, indicating a high-level of attention to security and safety for the platform.
Security is a process which must be continuously evaluated and improved. Regular audits and ongoing improvements are essential in order to maintain control of information security. This audit contributed meaningfully towards that end.