Skip to content

Perform a Security Audit of Globaleaks #4430

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
evilaliv3 opened this issue Mar 9, 2025 · 0 comments
Open

Perform a Security Audit of Globaleaks #4430

evilaliv3 opened this issue Mar 9, 2025 · 0 comments
Labels
F: Security Good First Issue

Comments

@evilaliv3
Copy link
Member

evilaliv3 commented Mar 9, 2025
edited
Loading

Description:

Security is a critical aspect of any software project, and Globaleaks is no exception. In this task, you will help improve the security of Globaleaks by performing a security audit. This involves testing the public demo instances (such as demo.globaleaks.org and try.globaleaks.org) to identify potential vulnerabilities and areas for improvement. You will be asked to focus on common security concerns such as authentication, data integrity, and potential exposure of sensitive information.

Additionally, Globaleaks has a Security Policy in place for reporting security issues responsibly. Please make sure to review it before submitting any findings.

If you're interested in performing a full security audit, you can refer to previous penetration tests and security audits to help guide your testing. You may also have the option to officially publish your security audit report if it’s thorough and meets the required standards.

Steps:

  1. Explore the Demo Instances:

    • Test the demo.globaleaks.org and try.globaleaks.org instances to review their security measures. Look for potential issues such as:
      • Authentication vulnerabilities
      • Data leakage
      • Encryption issues
      • Any other potential security flaws such as cross-site scripting (XSS), SQL injection, or improper access control.

  2. Perform Security Testing:

    • Explore common attack vectors such as:
      • Brute-force login attempts.
      • Session fixation or hijacking.
      • CSRF or XSS vulnerabilities.
    • Document any vulnerabilities or areas for improvement that you discover.

  3. Review the Security Resources:

    • Familiarize yourself with the following security-related resources to better understand the design and security measures of Globaleaks:

  4. Review Existing Security Audits:

    • Globaleaks has undergone previous security audits. These documents can help inform your audit approach:
      • Security Audits
      • If you are interested in providing a full security audit, the reports from these previous tests are available, and you may also have the option to officially publish your own findings following the same process.

  5. Review the Security Policy:

    • Before reporting any findings, make sure to review the official Globaleaks Security Policy to understand the proper process for reporting security issues.
    • Follow the guidelines in the policy for responsible disclosure.

  6. Report Your Findings:

    • If you find any security issues, report them responsibly following the process outlined in the Security Policy.
    • Provide clear details about the vulnerabilities, including how they were found and potential impact.
    • If no critical issues are found, provide general feedback on improving the security posture of Globaleaks.

  7. Submit a Pull Request (Optional):

    • If you have identified and fixed minor security-related issues (such as updating dependencies, improving security headers, etc.), submit a pull request with your changes.
    • Ensure your pull request is based on the latest code version to avoid conflicts.

Prerequisites:

  • Basic Understanding of Web Security: Familiarity with common web security vulnerabilities (e.g., XSS, SQL Injection, CSRF, etc.) is helpful.
  • Knowledge of Security Testing Tools: You can use tools like Burp Suite, OWASP ZAP, or manual testing methods for identifying security flaws.
  • No Prior Security Experience Required: While a basic understanding of security concepts is helpful, this task is designed to introduce you to security auditing and give you hands-on experience.

Why it's a Great Contribution:

  • Contributing to a security audit is a high-impact task that helps ensure the safety and integrity of the Globaleaks platform.
  • Your work will help protect both the data of users and the overall trustworthiness of the project.
  • This is a great opportunity to gain experience in security auditing and become familiar with the best practices for secure software development.

Helpful Links:
@globaleaks globaleaks locked and limited conversation to collaborators Mar 9, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
F: Security Good First Issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@evilaliv3