How the Spectre and Meltdown Vulnerabilities impact SecureDrop Users

Based on publicly available information and our current understanding of the Meltdown and Spectre vulnerabilities, both vulnerabilities require an adversary to have arbitrary code execution capabilities on the host. Given that SecureDrop’s Application and Monitor servers do not allow arbitrary code execution, these vulnerabilities appear not to be directly exploitable on running SecureDrop instances.