Has the code been reviewed?
Since 2021, Cure53 performed a series of nine audits in order to provide a 360 degree review of the passbolt ecosystem as a whole. Each audit involved several security researchers and each lasted for about a week.
In the meantime, passbolt has successfully completed SOC2 Type II audit, a well established and recognized standard of information security compliance.
Code and Infrastructure security audits
July 2023: User directory integration & DirectoryTree LdapRecord library
PBL-09 Cure53 report: This report describes the results of a security assessment of the passbolt complex, spanning the external DirectoryTree LdapRecord library and related backend API.
March 2023: Passbolt SSO
PBL-08 Cure53 report: This report describes the results of a security assessment of the passbolt complex, spanning the passbolt SSO feature, related backend API and browser extensions.
July 2022: Passbolt Crypto and Account recovery
PBL-07 Cure53 report: This report describes the results of a security assessment of the passbolt complex, spanning several of the newer passbolt features, including the account recovery feature and the ECC key support.
December 2021: Mobile applications and go-passbolt-cli
PBL-06 Cure53 report: This report describes the results of a security assessment of the passbolt complex, spanning the passbolt mobile application, related backend API and CLI tool.
August 2021: Browser integration and WebExtension API usage
PBL-05 Cure53 report: This report details the scope, results and conclusory summaries of a penetration test and security assessment against the passbolt browser extension with a particular focus on the browser integration and WebExtension API usage
July 2021: Passbolt cloud infrastructure
PBL-04 Cure53 report: For security reasons this report is not public. No major issue was found, only hardening suggestions who have been implemented during the course of the summer.
June 2021: Backend and plugins
PBL-03 Cure53 report: This report describes the results of a security assessment of the passbolt complex, spanning the passbolt backend, API and a selection of passbolt plugins.
April 2021: Browser extensions
PBL-02 Cure53 report: This report describes the results of a comprehensive security assessment targeting the passbolt browser extensions for Chrome and Firefox.
February 2021: Security White Paper
PBL-01 Cure53 report: This report describes the results of a review of a cryptography & security white-paper, detailing on the security properties and architecture for passbolt.
Incidents reports
All incidents are listed on this dedicated page.
Older reviews
-
Passbolt Web Extension: reviewed several times by Mozilla Add-on reviewers in the course of 2017 as part of the original AMO extension approval process, leading to several improvements in versions 1.6.3, 1.6.4 and 1.6.5.
-
Passbolt API: the v2.0.0-RC branch was reviewed by CakeDC in December 2018. You can learn more about the findings here.
-
Openpgp.js code base has undergone two complete security audits from Cure53. Reports can be found here
-
Cakephp was reviewed by NCC Group, you can browse the full report here
Report a security issue
The code review work will never be done, feel free to contact us if you want to contribute at [email protected].
Other frequently asked questions in the same category
- How can I report a security vulnerability?
- What data is encrypted in passbolt?
- What kind of encryption does passbolt use?
- How does authentication work in passbolt?
- Is javascript cryptographically secure?
- Is open source software less secure?
- Does passbolt support revocation certificates?
- How are public keys trusted?
- What is the security token?
- How can I change my passphrase?
- My secret key and passphrase are compromised, what do I do?
- How to extend a user expired key
- Is it secure to use passbolt?
- Has the code been reviewed?