Auditing SecureDrop & other whistleblower software

I’ll ask someone this week. That also made me curious about audit results regarding SecureDrop. I’m told it was audited but I don’t know where to look to find the result of the audit ? Maybe I’m being naïve and that kind of audit report is not public ? @redshiftzero how does that work ?

SecureDrop has been audited 4 times :

1 Like

Since a new SecureDrop version was published last week I suppose a new audit will also be done. Maybe it’s already in progress ?

reads Limit identification of SecureDrop servers. Provide the FPF repository as a Tor hidden service to minimize risks associated with plaintext HTTP as well as easily accessible fingerprinting vectors (page 9) but I’m not sure I understand what it is about ?

Good questions! Here are the previous audit results, which are all public:

We’re waiting for major application code changes to be done before proceeding with another security audit - likely when the API or journalist workstation is ready for production late 2017 / early 2018. In order to get more audit eyes on the project between audits, we’re planning to add financial rewards for our bug bounty program which we have here:

1 Like