SEC Consult was tasked by the Federal Office for Information Security (german abbreviated as BSI) with performing a security audit and source code review of the Mailvelope Google Chrome and Firefox Add-ons, the OpenPGP.js library as well as the GPGME-json utility. Objective of this review was to reveal common security issues and to offer suggestions for improvements. The focus of the audit was to identify:

• vulnerabilities in the cryptographic algorithms,
• routines that could cause user data compromise,
• and routines that could be abused for user monitoring.

The vulnerabilities outlined in this document are subject to a coordinated vulnerability disclosure process and the appropriate maintainers have been notified. [Most of the vulnerabilities are patched, while some uncritical vulnerabilities are not yet addressed. Passages in this report regarding unpatched vulnerabilities are hence expunged.]
The following chapter summarizes the scope and timetable of the audit, the results of the audit and outlines the measures recommended by SEC Consult.