|Scope Type||Scope Name|
SecureDrop is an open-source whistleblower submission system that media organizations can use to securely accept documents from and communicate with anonymous sources. It is currently a project of Freedom of the Press Foundation and was originally created by the late Aaron Swartz.
SecureDrop aims to help parties communicate securely by using a number of privacy enhancing tools, including Tor, Tails and GPG. The system runs on dedicated hardware and is isolated from the media organization's corporate network with a separate firewall.
SecureDrop provides two web interfaces, both of which are only accessible as hidden services in the Tor network; one that sources use to send messages or upload documents, and one that journalists use to check submitted information and reply to sources. All communication happens over the Tor network, submissions are encrypted with GPG, and Tails is used on an air-gapped computer when reviewing the information submitted.
We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at the Freedom of the Press Foundation. We appreciate the community's efforts in creating a more secure world.
If you have any questions, contact firstname.lastname@example.org subject = securedrop.
Target name | Type
<https://github.com/freedomofpress/securedrop> | Other
In order to give researchers as much access to the SecureDrop system as possible, and thus provide a bounty that is more effective than just a black box test or code review, we recommend that researchers set up their own instance of SecureDrop for testing and analysis. You can do this quickly and easily with our automated deployment process.
You can choose to deploy SecureDrop locally in a virtualized environment (Vagrant + Virtualbox), or you can deploy it on dedicated hardware to most accurately emulate a production installation. We recommend choosing the environment based on what you are interested in testing: for example, vulnerabilities in the web application or the server stack will be auditable from the virtualized environment, while vulnerabilities in the air-gapped document decryption workflow will be more easily auditable with a full installation on dedicated hardware.
Note that all production instances are run on dedicated hardware and the virtualized environments are only meant for development and testing. Vulnerabilities that rely on the virtualized environment will not be considered for a reward.
To use the virtual environment, you will need a machine capable of running Vagrant, Ansible, and VirtualBox, with at least 2GB of available RAM. A preconfigured Vagrantfile is included in the SecureDrop Git repository, and can set up three different virtual environments: development , staging , and prod. We recommend using prod for security research because it most closely emulates a production installation.
Vulnerabilities that rely on changes specific to the development or staging virtual environments will not be considered for a reward.
To set up a virtual test environment,
git clone https://github.com/freedomofpress/securedrop.git
If you are interested in using a test environment that mirrors a production installation as closely as possible, you should:
Note that a full production install, while mostly automated (and much easier than it used to be), is quite complicated and not for the faint of heart. Here's how it was recently described on Twitter.
Once you've set up a SecureDrop environment for testing, see these resources to learn how it is typically used:
Attacks that rely on components other than the SecureDrop application code, such as Tor Browser, will be considered as long as the attacks can be used to successfully exploit the SecureDrop system.
The following are minimum awards for the following attacks:
$500 - Stored or reflected XSS on the journalist interface
$750 - SQL injection on the journalist interface
$1000 - Authentication bypass on the journalist interface
$1500 - Stored XSS, reflected XSS on the source interface
$2000 - RCE on the source or journalist interface, SQL injection or Authentication bypass on source interface
$2500 - Recovery of private key material, successful recovery of decrypted SecureDrop submissions.
This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of other findings. However, generally we will reward more for an issue exploitable through the source interface than through the journalist interface, since an attacker needs a valid ATHS token to access the journalist interface whereas the source interface is accessible by any Tor user.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
Eligibility and Responsible Disclosure
We greatly appreciate all the researchers who help us improve the security of SecureDrop. Researchers who meet the following eligibility requirements may receive a reward:
You must be the first reporter of a vulnerability
The vulnerability must be a qualifying vulnerability (see "Eligible Submission Types")
You may not publicly disclose the vulnerability prior to our resolution without first discussing it with us.
Terms and Conditions
As a condition of participation in this program, you hereby grant the Freedom of the Press Foundation a perpetual, irrevocable, worldwide, royalty-free, transferrable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to the Freedom of the Press Foundation in connectiontherewith, for any purpose.
You must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between the Freedom of the Press Foundation and any other party. You are also responsible for any applicable taxes associated with any reward you receive.
We may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.