Help Search

Has the code been reviewed?

Since 2021, Cure53 performed a series of nine audits in order to provide a 360 degree review of the passbolt ecosystem as a whole. Each audit involved several security researchers and each lasted for about a week.

In the meantime, passbolt has successfully completed SOC2 Type II audit, a well established and recognized standard of information security compliance.

Code and Infrastructure security audits

July 2023: User directory integration & DirectoryTree LdapRecord library

PBL-09 Cure53 report: This report describes the results of a security assessment of the passbolt complex, spanning the external DirectoryTree LdapRecord library and related backend API.

March 2023: Passbolt SSO

PBL-08 Cure53 report: This report describes the results of a security assessment of the passbolt complex, spanning the passbolt SSO feature, related backend API and browser extensions.

July 2022: Passbolt Crypto and Account recovery

PBL-07 Cure53 report: This report describes the results of a security assessment of the passbolt complex, spanning several of the newer passbolt features, including the account recovery feature and the ECC key support.

December 2021: Mobile applications and go-passbolt-cli

PBL-06 Cure53 report: This report describes the results of a security assessment of the passbolt complex, spanning the passbolt mobile application, related backend API and CLI tool.

August 2021: Browser integration and WebExtension API usage

PBL-05 Cure53 report: This report details the scope, results and conclusory summaries of a penetration test and security assessment against the passbolt browser extension with a particular focus on the browser integration and WebExtension API usage

July 2021: Passbolt cloud infrastructure

PBL-04 Cure53 report: For security reasons this report is not public. No major issue was found, only hardening suggestions who have been implemented during the course of the summer.

June 2021: Backend and plugins

PBL-03 Cure53 report: This report describes the results of a security assessment of the passbolt complex, spanning the passbolt backend, API and a selection of passbolt plugins.

April 2021: Browser extensions

PBL-02 Cure53 report: This report describes the results of a comprehensive security assessment targeting the passbolt browser extensions for Chrome and Firefox.

February 2021: Security White Paper

PBL-01 Cure53 report: This report describes the results of a review of a cryptography & security white-paper, detailing on the security properties and architecture for passbolt.

Incidents reports

All incidents are listed on this dedicated page.

Older reviews

  • Passbolt Web Extension: reviewed several times by Mozilla Add-on reviewers in the course of 2017 as part of the original AMO extension approval process, leading to several improvements in versions 1.6.3, 1.6.4 and 1.6.5.

  • Passbolt API: the v2.0.0-RC branch was reviewed by CakeDC in December 2018. You can learn more about the findings here.

  • Openpgp.js code base has undergone two complete security audits from Cure53. Reports can be found here

  • Cakephp was reviewed by NCC Group, you can browse the full report here

Report a security issue

The code review work will never be done, feel free to contact us if you want to contribute at [email protected].

Not finding what you are looking for? You can also ask the community on the forum.

Talk to a human
🍪   Do you accept cookies for statistical purposes? (Read more) Accept No thanks!