Skip Nav
DONATE NOW

Trust, Not Just Code

Trust, Not Just Code: Why Digital Public Goods Catalogues Matter for Whistleblowing Software

Date published: 12 June 2025
Authored by: Giovanni Pellerano, Project Lead - GlobaLeaks


In March 2025, the European Commission took an important step toward greater transparency and collaboration in digital governance by launching the European Open Source Solutions Catalogue (EU OSS Catalogue).

The catalogue lists publicly available open-source software intended for use by public agencies. It is similar to the Digital Public Goods Registry maintained by the Digital Public Goods Alliance, which more broadly includes publicly available resources designed with sustainability in mind and formally defined as “Digital Public Goods.”

Developed under the FOSSEPS initiative (Free and Open Source Software for European Public Services), the new EU Open Source Solutions Catalogue (EU OSS Catalogue) is now publicly available via the Interoperable Europe Portal and already hosts over 640 reusable open-source tools for public administrations. 

Among them is GlobaLeaks, the whistleblowing software I’ve been contributing to since 2011, designed to enable secure and anonymous reporting of corruption and wrongdoing. Seeing it listed among many other inspiring public-interest technologies felt like a moment of recognition, not for me personally, but for a broader principle I believe in deeply: that public infrastructure should be based on publicly auditable software, especially for critical services.

 

Why These Catalogues Matter

Public catalogues like the EU OSS Catalogue go far beyond being technical directories. They reflect a shared political and ethical vision: one in which transparency, accountability, and the reuse of publicly funded technology are core values. This catalogue helps unify efforts across Member States, connecting with France’s CodeGouvFr, Italy’s Developers Italia, Germany’s OpenCoDE, and others, creating a federated and increasingly coherent ecosystem.

GlobaLeaks has now found its place not only in the EU OSS Catalogue, but also in the Digital Public Goods Alliance Registry, which highlights its alignment with the goals of sustainable development and digital rights, and of course, in Developers Italia, our home platform for reusable open-source software for public agencies in Italy.

These listings are not trophies. They are part of a long, ongoing process of building trust and legitimacy for the tools that civil society and institutions alike rely on to protect those who speak out.

 

Trust, Not Just Code

People who blow the whistle often do so at great personal risk. The software they use to report abuse must offer more than just functionality; it must be worthy of their trust. And trust isn’t built through marketing or proprietary certifications; it’s built through openness, transparency, and the ability for others to inspect and improve the tools we rely on.

Some years ago, I was involved in uncovering a serious vulnerability in a proprietary whistleblowing system used by the European Commission. The platform had been adopted with good intentions, but it was closed-source. The vulnerability was invisible to external experts, only discovered thanks to ethical hacking and coordinated disclosure through MITRE (which was later assigned CVE-2022-34007).

This experience stayed with me. It underscored a painful truth: when code is closed, so are the opportunities to detect flaws or abuse. Accountability is outsourced, and the public is left in the dark.

Open source, by contrast, allows for peer review, continuous auditing, public visibility into the development process, and better incident response. Especially for whistleblowing platforms, this isn’t a matter of preference; it’s a matter of ethics.

 

Open Source for Open Governance

When public institutions opt for proprietary solutions to handle whistleblower reports, they often unintentionally trade transparency and security for convenience. These systems might meet the minimum compliance bar, but they can’t support the participatory governance and accountability that open-source tools enable.

GlobaLeaks has grown slowly but steadily since we first released it in 2011. It has been shaped by activists, technologists, journalists, lawyers, compliance managers, data protection officers, and public officials. It is now used by hundreds of institutions around the world, customized to meet local laws, languages, and threats. It's open code, and the availability of public community spaces means that everyone can understand how it works, participate in its development and suggest improvements to security protocols.

By including GlobaLeaks in public catalogues, institutions aren’t just listing software; they’re endorsing a commitment to transparency, security, and the fundamental right to report wrongdoing in a safe and trusted environment.

 

Costs and Sustainability

Another important aspect often overlooked is cost. While proprietary software may seem convenient at first, it often comes with hidden expenses, license fees, vendor lock-in, and costly upgrades that can strain public budgets over time. Open-source solutions like those found in these catalogues, on the other hand, offer a more sustainable path.

Because the code is openly shared and maintained by a community, public administrations can avoid recurring costs, adapt the software to their needs without expensive contracts, and invest savings into improving services or supporting whistleblower protections. In my experience, this not only makes financial sense but also strengthens the public value of the tools we rely on.

 

Policy Reflections: Open Source as a Norm

The creation of these institutional public registries for Digital Public Goods and especially the creation of an EU OSS Catalogue is more than symbolic; it’s a message. Open source is no longer niche or experimental. In critical areas like civic reporting, it should be the standard.

From my experience, I’d encourage public administrations to consider a few key principles when adopting whistleblowing and anti-corruption tools:

  • Use open-source tools when handling civic or sensitive data;

  • Support regular third-party audits and peer review;

  • Join federated catalogues to improve collaboration and transparency;

  • Back community-driven projects that evolve with real-world needs.
     

By doing so, public administrations can ensure that transparency isn’t just an aspiration, it becomes a part of the system’s very fabric.

 

Closing Thoughts

As our public institutions and public agencies increasingly rely on digital infrastructure to serve citizens and uphold the rule of law, the transparency of these systems must be non-negotiable. Tools that protect whistleblowers should be just as scrutinized and just as accountable as the institutions they help monitor.

Closed-source software introduces unnecessary opacity and risk by relying on outdated security-through-obscurity models. Open source creates the conditions for trust, innovation, and collective resilience.

By recognizing and integrating tools like GlobaLeaks into public platforms, we move closer to a digital public sphere rooted in openness and integrity. In the fight against corruption, open source tools remain our best line of defense. I’m grateful to be part of that effort, and more so, to be part of a global community that believes in the same.

Readable on Substack.