Looking back at October and November 2024

December 20, 2024

The second in our new series of regular project retrospectives.

New releases

In November, we released SecureDrop Client version 0.14.0, which featured a highly requested set of features that allows journalists to select and delete multiple sources simultaneously. This is especially helpful for reviewing and removing spam submissions quickly. This work is based on an original implementation from The Guardian, with some changes that will allow for future bulk actions that are safe and convenient to use.

In October, we released SecureDrop 2.10.1, which contained translation updates for various changes made during 2.10.0. Thanks to Localization Lab and all of our translators for keeping SecureDrop localized.

Security audit

The big news in October was that SecureDrop successfully finished its sixth security audit. We encourage you to read our full blog post with analysis of some of the findings, but we’ll leave you with this quote from the auditors:

“The SecureDrop project defended itself well against a broad range of attack vectors. In fact, despite the large attack surface in scope, only three vulnerabilities could be found during this engagement, and from those, only one had a medium severity. Continued cycles of security testing and hardening will further fortify the platform, making it even more resistant to potential attacks.”

Noble on the horizon

With Ubuntu 20.04 “Focal Fossa” fast approaching its end of life in April 2025, work is progressing well in our efforts to migrate to Ubuntu 24.04 “Noble Numbat.” We’re taking a different approach for this upgrade by working on an in-place upgrade that can be automatically run. More details for administrators will be available soon. Our next step is to release SecureDrop 2.11.0, which will fix a number of issues in preparation for the migration and alert administrators if manual intervention is needed (e.g., not enough free disk space).

This work can be tracked on GitHub by following the “noble” label.

Public appearances

Rowen S, a senior software engineer on the SecureDrop team, recently participated in a panel at the 2024 Centre for Investigative Journalism Logan Symposium, along with a number of other Freedom of the Press Foundation (FPF) team members, where they discussed the impact that technologies using encryption have on investigative journalism.

Nathan Dyer, newsroom support engineer for the SecureDrop Team, delivered the annual “State of the Drop” for the 2024 Aaron Swartz Day podcast.

New merch

You might’ve seen some SecureDrop team members at conferences wearing custom “Anti-malware malware club” shirts. After receiving compliments and requests for them, we’re happy to announce you can purchase your own!

We also have other merch available, including shirts, onesies, and stickers. Proceeds will benefit FPF, which funds SecureDrop development.

Follow our work

Until our next update, you can stay up to date on the latest happenings by following us on Mastodon and subscribing to our RSS feed. Feel free to join our Gitter/Matrix room to talk with us directly.

Have a document to share?

You are not anonymous while using this browser!

Your Tor security settings are too low!

Set your Tor security level to "Safest" for maximum protection