Passbolt Clears Three Security and Compliance Audits

Over the last four months, three independent assessments have been conducted to evaluate the security posture of passbolt: a web application and cloud infrastructure penetration test, a cryptographic review of the authentication components, and a SOC 2 Type II audit. Each assessment not only confirmed the strength of passbolt’s existing security measures but also helped us identify and address areas for improvement.

Passbolt Cloud Penetration Test (November 2024)

Passbolt engaged Quarkslab to conduct an assessment of the Passbolt Cloud solution over two separate phases: a web application penetration test and an assumed breach assessment.

The Web Application Pentest examined the API for vulnerabilities, assessed the security measures in the back-end code, and reviewed controls designed to prevent unauthorized actions. An assumed breach simulation was conducted to simulate an internal attack and evaluate the system’s resilience against an adversary with server access.

Findings

• Authentication mechanisms were found to be robust.
• API security controls were implemented correctly, preventing unauthorized actions.
• No privilege escalation vulnerabilities were identified in the assumed breach simulation.
• The recommendations provided were focused on further hardening security mechanisms and maintaining best practices.

Overall, the assessment confirmed a strong security foundation, with no new major risks highlighted, as stated in the audit report:

"Based on previous experiences and on the risk matrix, Quarkslab assesses the maturity and security level of the audited scope as Very Satisfying. During the audit, no critical vulnerabilities were found. Globally the security of the web application is robust and secure."

Actionable and relevant recommendations were made to improve the overall security posture. 

We do not publicly share our infrastructure penetration test reports, as they contain sensitive details about our cloud configuration that could aid potential attackers.

Authentication Cryptographic Review (December 2024)

Passbolt invited Cure53, a cybersecurity firm specializing in cryptographic analysis, to conduct a review focused on the product authentication mechanisms. 

The objective was to assess whether any weaknesses, particularly in the form of oracle attacks or timing vulnerabilities, could be exploited. An oracle attack is a type of vulnerability where an attacker uses carefully crafted messages to exploit subtle differences in system responses, such as execution time, error messages, or response delays, to infer sensitive information. The focus was on evaluating the security of OpenPGP encryption mechanisms and their resistance to timing and padding attacks in the context of authentication.

Findings

• Only one low-risk, informational finding was reported: a minor timing attack issue within an upstream OpenPGP library.
• No direct vulnerabilities in passbolt’s implementation were found.

Cure53 noted that while passbolt’s implementation is secure, addressing potential timing leaks in the upstream library would further strengthen security. The results of the report and recommendations were shared by coordinating with OpenPGP library maintainers to ensure such cryptographic improvements are adopted in future releases.

You can read more about the findings in the original report or see the social post.

SOC 2 Type II Audit (January 2025)

The SOC 2 Type II audit is an in-depth evaluation of security controls over a 12-month period, ensuring that operational security meets the AICPA Trust Services Criteria. This audit provides external validation that passbolt’s security measures are both well-designed and effectively enforced.

SOC 2 compliance is essential for Cloud solutions providers like passbolt to demonstrate that their security processes meet industry standards. The audit, conducted by Johanson Group, an independent service auditor, examined the design and operational effectiveness of passbolt’s security controls over a full year (January 2024 to January 2025). The review covered policies, risk management, data protection mechanisms, and how security commitments were met.

Findings

• No material weaknesses were found in the design or operational effectiveness of controls. 
• Testing procedures confirmed that passbolt’s security measures were effectively enforced over the audit period.

This independent validation demonstrates passbolt’s ongoing commitment to security best practices and regulatory compliance. The results provide assurance to customers, partners, and stakeholders that passbolt maintains strong security governance and risk management practices.

In accordance with SOC recommendations, an NDA is required to review our Audited Report. This report can be obtained by companies that are passbolt customers by contacting us on regular customer support channels.

Conclusion

The results from these audits confirm that passbolt maintains a strong security posture, with no critical risks identified. The findings from Quarkslab and Cure53 provide valuable insights that will be used to further improve security. The SOC 2 Type II certification reinforces the reliability of our security framework.

Security is never “done.” We’re already preparing for our next security assessment with Passbolt v5, scheduled for April 2025. Our focus remains on continuously improving, addressing new risks, and staying ahead of industry standards.

If you have any questions or would like to learn more about our security approach, feel free to reach out.