Anonymous whistleblowing can be easy and secure.
Unfortunately, no technology is perfect and GlobaLeaks believes that working with skilled security researchers across the globe is crucial in identifying software weaknesses.
While we do our best to provide a secure software by default, security vulnerabilities and new attack techniques must be taken into account. If you believe you've found a security issue in the Globaleaks codebase, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
Please read it carefully!
We're looking for bugs affecting the confidentiality, integrity and availability of our users within the boundaries of the threat model. Examples of software vulnerabilities include, but are not limited to, XSS, CSRF, anonymity or privacy weaknesses, code execution, etc;
We're ONLY interested in software vulnerabilities affecting the software codebase and the live demo;
For more details on how to deploy your own globaleaks platform, please refer to the Globaleaks Installation Guide;
While researching, we'd like to ask you to refrain from:
Testing any public installations of GlobaLeaks. Security testing should be performed on your local deployment or versus the try.globaleaks.org only;
Testing https://www.globaleaks.org, or other assets related to Globaleaks. We're not looking for software vulnerabilities or misconfiguration in our institutional sites;
Spamming;
Social engineering and phishing of GlobaLeaks staff;
Any physical attempts against GlobaLeaks property.
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue;
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party;
Avoid public disclosure of previously unknown vulnerabilities. Many organizations rely on GlobaLeaks software, thus we don't want to put any running whistleblowing platform in jeopardy.
We're an open source project. Due to limited resources unfortunately we could not offer a monetary bounty for reports of qualifying security vulnerabilities and we thank you for your support anyhow.
Thank you for helping keep GlobaLeaks safe!
Scope Type | Scope Name |
---|---|
web_application | try.globaleaks.org |
web_application | https://github.com/globaleaks/GlobaLeaks |
Firebounty have crawled on 2015-10-25 the program GlobaLeaks on the platform Hackerone.
FireBounty © 2015-2024