Dangerzone
Converts potentially malicious documents into known-clean PDFs by rendering in a sandbox. Pixel-based sanitization — no signature detection to evade.
What should journalists know about Dangerzone?
Every journalist receives documents from unknown sources. Dangerzone is the hygiene step that should be automatic — drop in a suspicious PDF, get back a clean version with any embedded malware neutralized. Created by Micah Lee at First Look Media, now maintained by Freedom of the Press Foundation. Version 0.10.0 (December 2025) eliminated the Docker Desktop dependency on macOS and Windows by embedding Podman directly into the application — a major usability win that removes the biggest adoption barrier. The sanitization approach is deliberately simple and paranoid: convert the document to raw pixel data inside a gVisor sandbox, then reconstruct a clean PDF from those pixels outside the sandbox. No parsing, no heuristics, no signature database. If malicious code executes during conversion, it's trapped in a container with no network access, no filesystem mount, and a gVisor layer intercepting every syscall. Include Security audited Dangerzone in December 2023 (funded by Open Technology Fund) and found zero critical, high, or medium issues — only three low-risk and seven informational findings. Optional OCR restores a searchable text layer after conversion. Inspired by Qubes trusted PDF but works on standard operating systems. The only real competitor is Entrusted, a Rust-based alternative with less institutional backing. Dangerzone is the document sanitizer journalists should use.
Opening documents from unknown sources. Sanitizing leaked files, emailed documents, and newsroom tip submissions before viewing. Batch processing document dumps.
Documents you already trust (adds 30-60 seconds of processing time). Very large files. Audio, video, or zip archives — only handles PDFs, Office docs, ODF, and images. Won't preserve spreadsheet formulas or Word macros (by design — that's the point).
Security & Privacy
Data is scrambled while being sent to their servers
Data is scrambled when stored on their servers
Where servers are located — affects which governments can request your data
Privacy policy summary
All processing happens locally in a sandboxed container. No documents are uploaded, transmitted, or stored anywhere except on your machine. No telemetry, no analytics, no network calls. The container itself has networking disabled — even a compromised sandbox cannot phone home.
How to protect yourself:
Make it a habit to run every document from an unknown source through Dangerzone before opening. Since 0.10.0, Docker Desktop is no longer required on macOS/Windows — Podman is bundled. Update regularly; new document exploit techniques emerge constantly and FPF updates the container image (now Debian-based with current LibreOffice). On first run, expect ~10GB of disk usage for the container image. Use the new CLI tool (dangerzone-machine) to manage the Podman VM if needed. Enable OCR for searchable output. For Qubes OS users, Dangerzone has native integration using disposable VMs instead of containers.
Pixel-based sanitization eliminates embedded malware without relying on signature detection — fundamentally stronger than antivirus scanning. gVisor sandbox (memory-safe Go) intercepts every syscall between the conversion process and the host kernel. Container has no network access and no filesystem mounts. December 2023 audit by Include Security found zero critical/high/medium issues. Local-only processing means zero data exposure. Open source (AGPLv3), 4.8K GitHub stars, 21+ contributors. Backed by Freedom of the Press Foundation with active development — 0.10.0 shipped December 2025 with Podman bundled, eliminating Docker Desktop dependency.
Who Owns This
Known issues
Requires ~10GB disk space for the container image — a real barrier on older machines or constrained environments. Output is always a flat PDF; spreadsheet formulas, macros, and interactive elements are destroyed (intentionally, but users expecting editable output are surprised). Does not handle audio, video, or compressed archives — only PDFs, Office docs (.docx, .doc, .xlsx, .xls), ODF (.odt, .ods, .odp), and images (.jpg, .png). Cannot detect or neutralize steganography or printer tracking dots embedded in visual content. Processing time is noticeable (30-60 seconds per document depending on page count and system). No mobile version — desktop only (macOS, Windows, Linux, Qubes OS). The 2023 Include Security audit flagged that the macOS application itself could be further hardened, though attackers cannot directly target it. No batch processing UI yet (FPF has acknowledged demand from newsrooms).
Pricing
Free. Open source (AGPLv3).
This is an editorial assessment based on publicly available information as of 2026-04-02, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.
Something wrong or outdated? Report it.