diff --git a/cmd/server/main.go b/cmd/server/main.go
index 728de4f..d9e8efa 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -377,6 +377,7 @@ type allowFn func(r *http.Request) bool
 
 var publicEndpoints = []allowFn{
 	allowPublicInitiativeLookups,
+	allowPublicAnalysisDownloads,
 }
 
 var allowPublicInitiativeLookupsRegexp = regexp.MustCompile(`^/initiative/[^/]*$`)
@@ -388,6 +389,15 @@ func allowPublicInitiativeLookups(r *http.Request) bool {
 	return allowPublicInitiativeLookupsRegexp.MatchString(r.URL.Path)
 }
 
+var allowPublicAnalysisDownloadsRegexp = regexp.MustCompile(`^/report/.*$`)
+
+func allowPublicAnalysisDownloads(r *http.Request) bool {
+	if r.Method != http.MethodGet {
+		return false
+	}
+	return allowPublicAnalysisDownloadsRegexp.MatchString(r.URL.Path)
+}
+
 func requireJWTIfNotPublicEndpoint(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		for _, fn := range publicEndpoints {
diff --git a/reportsrv/reportsrv.go b/reportsrv/reportsrv.go
index 0de2e5c..b727638 100644
--- a/reportsrv/reportsrv.go
+++ b/reportsrv/reportsrv.go
@@ -192,6 +192,7 @@ func (s *Server) doAuthzAndAuditLog(a *pacta.Analysis, aa *pacta.AnalysisArtifac
 	actorID, _ := session.UserIDFromContext(ctx)
 	if actorID == "" {
 		actorID = unauthenticatedUserID
+		actorOwner = &pacta.Owner{ID: unauthenticatedUserID}
 	} else {
 		ownerID, err := s.db.GetOwnerForUser(s.db.NoTxn(ctx), actorID)
 		if err != nil {