Based on publicly available information and our current understanding of the Meltdown and Spectre vulnerabilities, both vulnerabilities require an adversary to have arbitrary code execution capabilities on the host. Given that SecureDrop’s Application and Monitor servers do not allow arbitrary code execution, these vulnerabilities appear not to be directly exploitable … Read More

Today we are announcing the release of SecureDrop 0.5. This release adds support for six additional languages. The important changes in this release are summarized below:  The source and journalist interfaces are localized in Dutch, French, German, Norwegian, Portuguese and Spanish. Administrators are able to enable any or all of … Read More

 The release of the next version of SecureDrop, 0.5, is scheduled for December 5th, 2017. We will send out another notification through our blog on securedrop.org, Twitter, and the support portal when the release is live. User-facing changes that administrators should be aware of are summarized in this blog post. … Read More

Come work on SecureDrop at the Electronic Frontier Foundation at 815 Eddy St in San Francisco on Thursday December 7th at 6-9pm!SecureDrop is a whistleblower submission system that media organizations use to securely accept documents from and communicate with anonymous sources. Originally written by Aaron Swartz, it has been maintained … Read More

Today we are announcing the release of SecureDrop 0.4.4. This is a hotfix release to fix a security vulnerability where during initial provisioning of the SecureDrop servers, three packages - tor, ntp, and the Tor keyring are installed without verifying cryptographic signatures. As these packages are fetched over HTTP, an attacker with network access could gain remote code execution on the SecureDrop servers if they are able to man-in-the-middle (MitM) the connection to the apt server. This vulnerability was found during internal code review and there are no signs of active exploitation. Read More

On the evening of Monday October 16th, just as the SecureDrop team was about to head home for the day, two of our engineers, while doing some testing for a new version of SecureDrop expected to be released the following week, discovered a serious vulnerability in the SecureDrop code. Read More

The SecureDrop engineering team welcomes the contributions of security researchers. SecureDrop is relied on by sources to talk with journalists at dozens of news organizations, many of whom are taking significant risks to bring information to the public eye. We want to do everything we can to make the whistleblowing process as safe for them as possible. Testing by external security researchers is an important part of that process. In order to minimize risk to SecureDrop users throughout the security research process, in this post we will describe how to ethically perform security research on SecureDrop and what constitutes acceptable and unacceptable behavior. Read More

Today we are announcing the release of SecureDrop 0.4.3. Read More