An internal review discovered that some servers maintained by Freedom of the Press Foundation (FPF) and used to support SecureDrop were installed in an insecure manner. Read More

We recommend that all SecureDrop Administrators upgrade to Tails 5.14, which includes important updates to the disk encryption and passphrase hashing algorithms. We also recommend updating all other encrypted drives, and ensuring you have long passphrases. Read More

SecureDrop 2.5.1 has been released to address a security issue that was found on the SecureDrop server environment during an internal code audit. Read More

On May 10, 2021, the Tenable team informed us of a CSRF vulnerability on SecureDrop’s Journalist Interface. Details are now available on their advisories page. Read More

The SecureDrop project uses a self-hosted installation of Weblate for translation into supported languages. On Sunday, an independent security researcher reported a Weblate misconfiguration through our bug bounty program. Read More

Read More

Today, security researchers disclosed vulnerabilities, collectively called EFAIL, in how the decryption and display of PGP-encrypted emails are handled in multiple email clients (see EFAIL website, EFAIL paper). SecureDrop submissions are not sent via email, and can only be decrypted on the air-gapped Secure Viewing Station, so the content of … Read More

Based on publicly available information and our current understanding of the Meltdown and Spectre vulnerabilities, both vulnerabilities require an adversary to have arbitrary code execution capabilities on the host. Given that SecureDrop’s Application and Monitor servers do not allow arbitrary code execution, these vulnerabilities appear not to be directly exploitable … Read More