Has the code been reviewed?
In the course of 2021 Cure53 performed a series of six audits in order to provide a 360 degree review of the passbolt ecosystem as a whole. Each audit involved several security researchers and each lasted for about a week.
In the meantime, passbolt has successfully completed SOC2 Type II audit, a well established and recognized standard of information security compliance.
Code and Infrastructure security audits
December 2021: Mobile applications and go-passbolt-cli
PBL-06 Cure53 report: This report describes the results of a security assessment of the passbolt complex, spanning the passbolt mobile application, related backend API and CLI tool.
August 2021: Browser integration and WebExtension API usage
PBL-05 Cure53 report: This report details the scope, results and conclusory summaries of a penetration test and security assessment against the passbolt browser extension with a particular focus on the browser integration and WebExtension API usage
July 2021: passbolt cloud infrastructure
PBL-04 Cure53 report: For security reasons this report is not public. No major issue was found, only hardening suggestions who have been implemented during the course of the summer.
June 2021: Backend and plugins
PBL-03 Cure53 report: This report describes the results of a security assessment of the passbolt complex, spanning the passbolt backend, API and a selection of passbolt plugins.
April 2021: Browser extensions
PBL-02 Cure53 report: This report describes the results of a comprehensive security assessment targeting the passbolt browser extensions for Chrome and Firefox.
February 2021: Security White Paper
PBL-01 Cure53 report: This report describes the results of a review of a cryptography & security white-paper, detailing on the security properties and architecture for passbolt.
All incidents are listed on this dedicated page.
Passbolt Web Extension: reviewed several times by Mozilla Add-on reviewers in the course of 2017 as part of the original AMO extension approval process, leading to several improvements in versions 1.6.3, 1.6.4 and 1.6.5.
Passbolt API: the v2.0.0-RC branch was reviewed by CakeDC in December 2018. You can learn more about the findings here.
Openpgp.js code base has undergone two complete security audits from Cure53. Reports can be found here
Cakephp was reviewed by NCC Group, you can browse the full report here
Report a security issue
The code review work will never be done, feel free to contact us if you want to contribute at [email protected].
Other frequently asked questions in the same category
- How can I report a security vulnerability?
- What data is encrypted in passbolt?
- What kind of encryption does passbolt use?
- How does authentication work in passbolt?
- Is open source software less secure?
- Does passbolt support revocation certificates?
- How are public keys trusted?
- What is the security token?
- How can I change my passphrase?
- My secret key and passphrase are compromised, what do I do?
- How to extend a user expired key
- Is it secure to use passbolt?
- Has the code been reviewed?