iSecPartners Report - 2langnic/GlobaLeaks GitHub Wiki

GlobaLeaks has received an architectural audit during the very early stage of the development of GlobaLeaks 2 conducted by iSecPartners. The audit has been done in Q1 2013 and was sponsored by the Open Technology Fund (RFA).

The Penetration Test focused on two main pillars:

• Review of the Technical Architecture
• Review of Threat Model
• Review of Application Security Design and Details

Those Security Audit yielded to a strong improvement of the following specification documents:

• Threat Model
• Application Security Design and Details

Those two documents represent the foundation of the GlobaLeaks Security Architecture.

The audit report is not publicly available due to non disclosure agreement constraint by iSecPartners. To overcome this issue, the GlobaLeaks Team is available for a private review of the report over video conference.

Open Issue

We still have one open issue from the penetration test that will need some new feature (Email Digest) to be implemented in order to fix it properly:

• Prevent timing correlation attack on notification, by adding a random delay

The GlobaLeaks team would like to thank iSecPartners for the audit and Open Technology Fund for sponsoring this audit.