Anonymous whistleblowing can be easy and secure. Unfortunately, no
technology is perfect and GlobaLeaks believes that working with skilled
security researchers across the globe is crucial in identifying software
While we do our best to provide a secure software by default , security
vulnerabilities and new attack techniques must be taken into account. If you
believe you've found a security issue in the Globaleaks framework
__codebase, we encourage you to
notify us. We welcome working with you to resolve the issue promptly.
Please read it carefully!
- We're looking for bugs affecting the confidentiality , integrity and availability of our users within the boundaries of the threat model __. Examples of software vulnerabilities include, but are not limited to, XSS, CSRF, anonymity or privacy weaknesses, code execution, etc.
- We're ONLY interested in software vulnerabilities affecting our open source codebase __
- For more details on how to deploy your own globaleaks node, please refer to the Globaleaks Installation Guide __
While researching, we'd like to ask you to refrain from:
- Testing any public installations of GlobaLeaks. Security testing should be performed on your local deployment.
- Testing https://www.globaleaks.org __, https://hermescenter.org/ __or other assets related to Globaleaks. We're not looking for software vulnerabilities or misconfiguration in our institutional sites
- Social engineering and phishing of GlobaLeaks staff
- Any physical attempts against GlobaLeaks property
- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party
- Avoid public disclosure of previously unknown vulnerabilities. Many organizations rely on GlobaLeaks software, thus we don't want to put any running whistleblowing platform in jeopardy
We're an open source project, backed by a non-profit association
__. As a result, we're not
in the position to offer a monetary bounty for reports of qualifying security
vulnerabilities. To show our appreciation, we will be happy to reward
qualifying reports by sending an Hermes Center branded USB key with Tails
__pre-loaded. In special cases, your submission may
qualify for our traditional Italian wine and grappa. Eligibility is at our
Thank you for helping keep GlobaLeaks safe!