Professional services: SecureDrop support


We had a good discussion with @dshmL yesterday about professional services to support SecureDrop. He knows a lot more about maintaining machines in a usable state than I do because that’s what his clients hire him to do as a freelance.

There are potential SecureDrop users who do not have in-house staff. They may be lucky and get a good relationship with someone who helps them maintain their SecureDrop on a long term volunteer basis. I know of at least three SecureDrop instances for which it is the the case and this is a growing trend. What about the others? They currently cannot turn to any service provider and ask for a maintenance contract.

Since both @dshmL (as a freelance) and @xavier (in the name of OpenCraft) are interested in developping that kind of expertise and service, I would like to explore this a little more. If you know of companies / freelance who would also be interested, it would be great :slight_smile:

The main takeaway of yesterday’s conversation is that acquiring SecureDrop expertise is costly. The daily maintenance burden is low because it is robust and breakage is rare. But a maintenance contract is not just about doing the easy part, the customer also expects that any kind of breakage can be fixed, even the most complicated ones.

Based on my ~one year experience maintaining production SecureDrop instances, I think the following could work:

  • SecureDrop installation / training: these are one-time contracts, not in scope and FPF already covers that very well.
  • SecureDrop maintenance level 1 (between 8 and 16 hours a year, in the range of 100 or 200 euros per month):
    • private e-mail/ticketing system or public forum communications only
    • does not include assistance in creating journalist keys, operating the SVS or other duties for which the in house admin was trained and does not involve the application and monitor servers.
    • analyzing OSSEC alerts & monitoring the source page
    • 4h delay intervention when a breakage happen
  • SecureDrop maintenance level 2 (about one week for each unique new problem, about one or two hours to diagnose an existing problem, one diagnostic per year per instance, one unique new problem per ten instances per year, in the range of 500 to 1,000 euros per year per instance):
    • 24h delay intervention on problems reported by level 1

Assuming these estimates are not completely wrong (please speak up if you think they are!), there are two other problems blocking any freelance or company:

  • the potential market is really small (NGOs and media interested all together are in the hundreds world wide)
  • the learning curve is high (about three months learning full time to be able to provide level 2)

If the market was larger the learning curve could be absorbed, but it’s not the case. To get things moving I propose to provide level 2 maintenance on a volunteer basis for one year so OpenCraft and @dshmL can learn gradually and become autonomous eventually.

There are a lot of unknown and this idea may not work out for a variety of reasons. But we’re motivated to give it a try and hopefully others will join or contribute ideas. Or convince us this cannot work and save us precious time :slight_smile:

What do you think?