GIMP

Free image editor with non-destructive editing, now at version 3.2 after a decade-long overhaul.

Open source

Strong

https://www.gimp.org · Reviewed 2026-04-02 · Editorial assessment by Mike Schneider — based on public security research and audits

What should journalists know about GIMP?

GIMP 3.0 shipped in March 2025 after seven years of development. GIMP 3.2 followed in March 2026 with non-destructive vector layers, link layers, and SVG export. The gap with Photoshop has narrowed meaningfully: non-destructive editing, on-canvas text, and a modernized GTK3 interface finally make it feel like current software. It still can't open RAW files natively (you need a separate converter like darktable), and the learning curve is real. But for crop-resize-retouch-composite workflows — the 90% of what newsrooms do — GIMP handles it without subscriptions, cloud dependencies, or data collection. Zero telemetry. Zero accounts. Runs entirely offline.

Best for

Photo editing and retouching. Creating social graphics. Image manipulation analysis for verification. Metadata inspection. Batch processing via Script-Fu or Python-Fu.

Not for

RAW photo development (use darktable or RawTherapee first). Vector graphics (use Inkscape). Quick template-based social graphics (Canva is faster). AI-assisted edits like generative fill.

Security & Privacy

Encryption in transit Yes

Data is scrambled while being sent to their servers

Encryption at rest Yes

Data is scrambled when stored on their servers

Data jurisdiction All local — no data sent anywhere. GIMP makes no network connections unless you explicitly open a remote file via FTP/HTTP.

Where servers are located — affects which governments can request your data

Security rating Strong

GIMP collects nothing. No accounts, no telemetry, no analytics, no ads. The official privacy policy states the software 'does not, in any way, collect, transmit, share or use any Personal Data.' One of the cleanest privacy stories in any software category.

How to protect yourself:

Strip EXIF/metadata from images before publishing if source protection matters — GIMP's metadata viewer (Filters > Python-Fu > Console or Image > Metadata) lets you inspect what's embedded. Keep GIMP updated: file-parsing vulnerabilities in older versions (XWD, FLI, TGA, XCF formats) have been patched in 3.0+.

Open-source, fully local, no accounts or telemetry. Part of the GNU Project with decades of community oversight. File-parsing CVEs are the main attack surface — mitigated by keeping current (3.2.2 as of March 2026) and not opening untrusted files in exotic formats.

Who Owns This

Owner GIMP Development Team (GNU Project, fiscally hosted by GNOME Foundation)

Funding Donations through GNOME Foundation, community fundraisers. Primary maintainer Jehan funds development partly through the ZeMarmot animated film project. $72K income in 2023-2024. First two GNOME-administered development grants awarded October 2025. No corporate sponsor.

Business model None — volunteer-driven open source. No paid tier, no premium features, no data monetization.

Known issues

Multiple file-parsing vulnerabilities disclosed in 2025 (CVE-2025-2760, CVE-2025-2761, CVE-2025-48797, CVE-2025-48798) affecting XWD, FLI, TGA, and XCF formats — all require opening a malicious file. Patched in 3.0+. Cannot open RAW camera files natively. GNOME Foundation financial instability in 2024-2025 slowed grant-funded development, though community contributions continued. 21 contributors to 3.2.2 codebase, but only ~7 core developers — bus factor is low for a project this important.

Pricing

Free

This is an editorial assessment based on publicly available information as of 2026-04-02, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.

Something wrong or outdated? Report it.