In March 2023, [Radically Open Security](https://www.radicallyopensecurity.com/) conducted a security audit on the major improvements that we released in [[Tails 5.8|version_5.8]] (December 2022) on the Persistent Storage, the Unsafe Browser, and the Wayland integration.
To better protect our users, we addressed most of the security vulnerabilities as soon as they were discovered and reported to us, without waiting for the audit to be complete and public. We can now share with your the [final report](https://gitlab.tails.boum.org/tails/tails/uploads/df935595f41faa687805136a6bfa2910/tails-ros-penetration-test-report-1-2.pdf).
> ***Overall, the Tailsoperating system left a solid impression and addressed > most of the concerns of an average user in need of anonymity.*** > > *This is particularly evident in the isolation of various components by the > developers. For example, the configured AppArmor rules often prevented a > significant impact of the found vulnerabilities. Shifting to Wayland was a > good decision, as it provides more security by isolating individual GUI > applications.* > > *All in all, no serious vulnerabilities were found through the integration > into Wayland. Unsafe Browser and Persistent Storage should now be less > vulnerable to attack, as all vulnerabilities have been fixed.*
The auditors found 6 *High*, 1 *Moderate*, 3 *Low*-severity issues. Another issue was fixed before the actual impact was assessed and so marked as having *Unknown* severity.
We fixed all these issues as soon as possible and before making them public on our GitLab. The last issue was fixed in 5.14, 3 weeks after it was reported to us.
As good as the results of this audit are, they also serve as a reminder that no software is ever 100% secure and that every release of Tails can fix critical security vulnerabilities. Your best protection against all kinds of attack is to keep your Tails up-to-date.
Because at Tails we believe that transparency is key to building trust, all the code of our software is public and the results of this audit as well. You can find below a summary of all the issues and their fixes.
<table> <tr><th>ID</th><th>Issue</th><th>Description</th><th>Impact</th><th>Status</th><th>Release</th></tr> <tr><td>TLS-012</td><td>[[!tails_ticket 19585]]</td><td>Leak clear IP as low-privileged user amnesia</td><td>High</td><td>Fixed</td><td>5.12</td></tr> <tr><td>TLS-013</td><td>[[!tails_ticket 19594]]</td><td>Local privilege escalation to Tor Connection sandbox</td><td>High</td><td>Fixed</td><td>5.12</td></tr> <tr><td>TLS-014</td><td>[[!tails_ticket 19595]]</td><td>Local privilege escalation to Tor Browser sandbox</td><td>Moderate</td><td>Fixed</td><td>5.13</td></tr> <tr><td>TLS-017</td><td>[[!tails_ticket 19610]]</td><td>Insecure permissions of chroot overlay</td><td>Unknown</td><td>Fixed</td><td>5.13</td></tr> </table>
