Web applications are only as trustworthy as the servers that serve them, and servers can get hacked. So, last year, we introduced WEBCAT (Web-Based Code Assurance and Transparency), a project designed to enable verifiable in-browser code for web applications. We wrote extensively about WEBCAT’s requirements, constraints, and goals.Today, we’re excited to announce the alpha release of WEBCAT. In particular, we invite community participation in a new, decentralized enrollment infrastructure. Read More

We’ll be presenting on establishing trust in web applications and on the next generation of SecureDrop. Hope to see you in Taipei! Read More

Journalists are working harder than ever to protect their sources. SecureDrop has never been more important Read More

In this blog post, we examine the technical requirements for web applications to be properly auditable, arguing that reproducibility is a necessary condition. Enforcing the constraints needed to achieve this on the web is non-trivial, and we present a technical deep dive into how we approach this problem in WEBCAT. Read More

SecureDrop software engineer Cory Myers and ETH Zurich researcher Felix Linker gave a talk entitled ”SecureDrop — From Design to Analysis” to the Usable Formal Methods Research Group at the 124th meeting of the Internet Engineering Task Force in Montreal on Nov. 4, 2025. Read More

We’re pleased to announce that we’re bringing WEBCAT to the second annual Transparency.dev Summit later this month in Gothenburg, Sweden. Read More

An upcoming release of SecureDrop Workstation will simplify the installation process by utilizing a bootstrap package hosted in Qubes OS’s “Contrib” repository. Read More

We are now providing support directly via Signal and will be completing a migration away from Redmine on Nov. 3, 2025 Read More