SecureDrop 2.15.1 is now available, improving memory management while handling APIv2 requests, and fixing an issue with restoring backups without transferring over the network: Read More

In advance of the initial release of SecureDrop Inbox, we commissioned an independent security audit from X41 D-Sec. Read More

SecureDrop 2.15.0 is now available, which enables the updated API needed for the upcoming SecureDrop Inbox. Read More

SecureDrop Client 0.17.5 has been released to address a low-priority security issue. Exploiting this vulnerability would require a compromised server, and we are not aware of any exploits in the wild. Read More

SecureDrop Inbox, the new window into the SecureDrop Workstation, has been rewritten from the ground up to replace the previous client application for existing journalist users. Improving upon the core functionality, it also includes bug fixes, speed improvements, and a range of new features. Read More

A new SecureDrop Inbox will be released in the next few weeks, the result of work begun by the team in July 2025 to redesign how journalists process submissions. SecureDrop Workstation users will receive it automatically during a system update. Read More

This update contains multiple security fixes, all of which are low or informational priority. We are not aware of any exploitation in the wild for any vulnerability. Read More

Web applications are only as trustworthy as the servers that serve them, and servers can get hacked. So, last year, we introduced WEBCAT (Web-Based Code Assurance and Transparency), a project designed to enable verifiable in-browser code for web applications. We wrote extensively about WEBCAT’s requirements, constraints, and goals.Today, we’re excited to announce the alpha release of WEBCAT. In particular, we invite community participation in a new, decentralized enrollment infrastructure. Read More