The SecureDrop whistleblower platform has resulted in security research on the project itself, academic research analyzing threats of relevance to SecureDrop, and research inspired by SecureDrop that advances the state of the art of whistleblowing platforms. This page contains links to research papers and reports we're aware of on SecureDrop or research that mentions the project. Please send us a message if you are aware of research that is not mentioned here. Interested in working on research on SecureDrop? Reach out!

Our research

Research projects

• SecureDrop Protocol is an ongoing research project to develop an end-to-end encrypted (E2EE) protocol for whistleblowing applications, which allows for deployments in untrusted server enviroments while requiring no source-side state beyond a single passphrase. The project is public and collaboration is welcomed - see our Github repository.
  
  For more information on SecureDrop Protocol, see our series of blog posts:
  • Future directions for SecureDrop
  • Anatomy of a whistleblowing system
  • How to research your own cryptography and survive
  • Introducing SecureDrop Protocol
    

Whitepapers

• SecureDrop team, Design of the Next-Generation SecureDrop Workstation (PDF). This whitepaper describes the security architecture of the journalist Qubes workstation, in pilot use as of 2021.

Academic Publications

• Philip Di Salvo, Securing Whistleblowing in the Digital Age: SecureDrop and the Changing Journalistic Practices for Source Protection. A study on the usage of SecureDrop based on interviews with journalists.
• Laurens Sion, Koen Yskout, Dimitri Van Landuyt, Wouter Joosen, Risk-Based Design Security Analysis. Paper on threat modeling techniques using SecureDrop as an example.
• Saba Eskandarian, Henry Corrigan-Gibbs, Matei Zaharia, and Dan Boneh, Express: Lowering the Cost of Metadata-hiding Communication with Cryptographic Privacy (PDF). New metadata-hiding communications system, mentions SecureDrop in the introduction as motivation.
• Charles Berret, Guide to SecureDrop. An in-depth guide to SecureDrop and its use in newsrooms from the Tow Center for Digital Journalism.
• Giovanni Cherubin, Jamie Hayes, Marc Juarez. Website Fingerprinting Defenses at the Application Layer (PDF). Paper presenting server-side defenses for website fingerprinting, presented at PETS 2017.
• Rebekah Overdorf, Marc Juarez, Gunes Acar, Rachel Greenstadt, Claudia Diaz. How Unique is Your .onion? An Analysis of the Fingerprintability of Tor Onion Services (PDF), presented at CCS 2017.

Third-party audits

We get regular third-party audits of SecureDrop and its subcomponents. For transparency, we publish the reports, which can be seen below:

• 7ASecurity, 2024 SecureDrop Audit Report (PDF). This report describes the wide-ranging audit of SecureDrop performed in the summer of 2024. The audit covered application code, the supply chain, build/deployment infrastructure, and the SecureDrop threat model. Funded by OTF.
• Trail of Bits, SecureDrop Workstation Audit (PDF). This report describes the December 2020 and January 2021 audit of the journalist Qubes workstation, now in pilot use in news organizations. Funded by the New York Times.
• Include Security, SecureDrop Workstation Audit (PDF). This report describes the November 2018 audit of the alpha release of the journalist Qubes workstation. Funded by the OTF Red Team.
• Leviathan Security, SecureDrop Audit (PDF). Performed in late 2018 on behalf of Softwerx.
• iSEC Partners, SecureDrop Audit (PDF). Performed in Summer 2015.
• iSEC Partners, SecureDrop Audit (PDF). Performed in Summer 2014.
• Cure53, SecureDrop Audit (PDF). Performed in late 2013.
• University of Washington, SecureDrop Audit (PDF). This was the first audit of SecureDrop, performed in Spring 2013.

Student Research

• Andres Nater, Erica Santana, Patrick Wahl, An End-to-End Encryption Scheme for SecureDrop (PDF), as part of MIT's 6.857 (Computer and Network Security) course in Spring 2018