SecureDrop is an open-source whistleblower submission system that media organizations can use to securely accept documents from and communicate with anonymous sources. It is currently a project of Freedom of the Press Foundation and was originally created by the late Aaron Swartz.
SecureDrop aims to help parties communicate securely by using a number of privacy enhancing tools, including Tor, Tails and GPG. The system runs on dedicated hardware and is isolated from the media organization's corporate network with a separate firewall.
SecureDrop provides two web interfaces, both of which are only accessible as hidden services in the Tor network; one that sources use to send messages or upload documents, and one that journalists use to check submitted information and reply to sources. All communication happens over the Tor network, submissions are encrypted with GPG, and Tails is used on an air-gapped computer when reviewing the information submitted.
We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at the Freedom of the Press Foundation. We appreciate the community's efforts in creating a more secure world.
If you have any questions, contact firstname.lastname@example.org subject = securedrop.
In order to give researchers as much access to the SecureDrop system as possible, and thus provide a bounty that is more effective than just a black box test or code review, we recommend that researchers set up their own instance of SecureDrop for testing and analysis. You can do this quickly and easily with our automated deployment process.
You can choose to deploy SecureDrop locally in a virtualized environment (Vagrant + Virtualbox), or you can deploy it on dedicated hardware to most accurately emulate a production installation. We recommend choosing the environment based on what you are interested in testing: for example, vulnerabilities in the web application or the server stack will be auditable from the virtualized environment, while vulnerabilities in the air-gapped document decryption workflow will be more easily auditable with a full installation on dedicated hardware.
Note that all production instances are run on dedicated hardware and the virtualized environments are only meant for development and testing. Vulnerabilities that rely on the virtualized environment will not be considered for a reward.
To use the virtual environment, you will need a machine capable of running Vagrant, Ansible, and VirtualBox, with at least 2GB of available RAM. A preconfigured Vagrantfile is included in the SecureDrop Git repository, and can set up three different virtual environments: development, staging, and prod. We recommend using prod for security research because it most closely emulates a production installation.
Vulnerabilities that rely on changes specific to the development or staging virtual environments will not be considered for a reward.
To set up a virtual test environment,
- Clone the SecureDrop git repository:
git clone https://github.com/freedomofpress/securedrop.git
- Read the Development Guide to learn how to install prerequisites and use Vagrant to set up the virtual environment of your choice.
- Happy hunting!
If you are interested in using a test environment that mirrors a production installation as closely as possible, you should:
- Obtain the necessary hardware, which is described in the Hardware Guide.
- Follow the Installation Guide for a production instance.
Note that a full production install, while mostly automated (and much easier than it used to be), is quite complicated and not for the faint of heart. Here's how it was recently described on Twitter.
Once you've set up a SecureDrop environment for testing, see these resources to learn how it is typically used:
Attacks that rely on components other than the SecureDrop application code, such as Tor Browser, will be considered as long as the attacks can be used to successfully exploit the SecureDrop system.
The following are minimum awards for the following attacks:
$500 - Stored or reflected XSS on the journalist interface
$750 - SQL injection on the journalist interface
$1000 - Authentication bypass on the journalist interface
$1500 - Stored XSS, reflected XSS on the source interface
$2000 - RCE on the source or journalist interface, SQL injection or Authentication bypass on source interface
$2500 - Recovery of private key material, successful recovery of decrypted SecureDrop submissions.
This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of other findings. However, generally we will reward more for an issue exploitable through the source interface than through the journalist interface, since an attacker needs a valid ATHS token to access the journalist interface whereas the source interface is accessible by any Tor user.
- Pre-existing GitHub issues
- All Common "Non-qualifying" Submission Types from the Bugcrowd Standard Disclosure Terms.
- Network and application level Denial of Service (DoS/DDoS) vulnerabilities. This includes continuous large submissions and continuous codename generation.
- Disclosure of known public files or directories, e.g. codename word lists.
- Attacks that rely on other browsers (our threat model assumes Tor Browser or Tails).
- Attacks that rely on use of tor2web to access the Source Interface (our threat model assumes this is not used).
- Attacks on 3rd party providers, e.g. use of Google for DNS and SMTP.
- Attacks that rely solely on the development environment and/or the virtualized platform (this includes the use of default credentials in these environments).
- Functional, UI and UX bugs and spelling mistakes.
- Pointing out that pip packages aren't signed.
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- Pointing out the lack of HTTPS since Tor Onion services are used.
- Pointing out that metadata is not removed from uploaded documents (this is intentional in order to allow journalists to use metadata to validate documents).
- Missing HTTP security headers, such as pointing out missing
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
Eligibility and Responsible Disclosure
We greatly appreciate all the researchers who help us improve the security of SecureDrop. Researchers who meet the following eligibility requirements may receive a reward:
- You must be the first reporter of a vulnerability
- The vulnerability must be a qualifying vulnerability (see "Eligible Submission Types")
- You may not publicly disclose the vulnerability prior to our resolution without first discussing it with us.
Terms and Conditions
As a condition of participation in this program, you hereby grant the Freedom of the Press Foundation a perpetual, irrevocable, worldwide, royalty-free, transferrable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to the Freedom of the Press Foundation in connectiontherewith, for any purpose.
You must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between the Freedom of the Press Foundation and any other party. You are also responsible for any applicable taxes associated with any reward you receive.
We may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.