SecureDrop

  • $100 – $2,500 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

2 vulnerabilities rewarded

Validation within about 11 hours
75% of submissions are accepted or rejected within about 11 hours

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

SecureDrop is an open-source whistleblower submission system that media organizations can use to securely accept documents from and communicate with anonymous sources. It is currently a project of Freedom of the Press Foundation and was originally created by the late Aaron Swartz.

SecureDrop aims to help parties communicate securely by using a number of privacy enhancing tools, including Tor, Tails, QubesOS and GPG. The system runs on dedicated hardware and is isolated from the media organization's corporate network with a dedicated network firewall.

SecureDrop provides two web interfaces, both of which are only accessible as hidden services in the Tor network; one that sources use to send messages or upload documents, and one that journalists use to check submitted information and reply to sources. All communication happens over the Tor network, and submissions are encrypted at rest with GPG. Either Tails on an air-gapped computer or QubesOS is used when reviewing the information submitted.

We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a fundamental belief at the Freedom of the Press Foundation. We appreciate the community's efforts in creating a more secure ecosystem.

To learn more, please read the FAQ and threat model document.

If you have any questions, contact support@bugcrowd.com subject = securedrop.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

Eligibility and Responsible Disclosure
We greatly appreciate all the researchers who help us improve the security of SecureDrop. Researchers who meet the following eligibility requirements may receive a reward:


  • You must be the first reporter of a vulnerability

  • The vulnerability must be a qualifying vulnerability (see "Eligible Submission Types")

  • You may not publicly disclose the vulnerability prior to our resolution without first discussing it with us.

Terms and Conditions
As a condition of participation in this program, you hereby grant the Freedom of the Press Foundation a perpetual, irrevocable, worldwide, royalty-free, transferrable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to the Freedom of the Press Foundation in connectiontherewith, for any purpose.

You must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between the Freedom of the Press Foundation and any other party. You are also responsible for any applicable taxes associated with any reward you receive.

We may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.