From predisclosure-applications-bounces@lists.xenproject.org Mon Aug 10 14:32:28 2020 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Mon, 10 Aug 2020 14:32:28 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1k58qg-0008CX-Mx; Mon, 10 Aug 2020 14:32:26 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1k1WSd-0007v3-0h for predisclosure-applications@lists.xenproject.org; Fri, 31 Jul 2020 14:56:39 +0000 X-Inumbo-ID: 0850a0cc-d33e-11ea-abc9-12813bfff9fa Received: from npomail1.electricembers.net (unknown [208.90.215.73]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id 0850a0cc-d33e-11ea-abc9-12813bfff9fa; Fri, 31 Jul 2020 14:56:37 +0000 (UTC) Received: from private by npomail1.electricembers.net; DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=freedom.press; s=npomail; t=1596207396; bh=O8VEe5R6Nl9Pso5r9POvI3Zfve0QiUW/MsfLslOt434=; l=7502; h=To:From:Subject:MIME-Version:Content-Type; b=Id3AYp/P+iY1NMS5PhKcZ5SbcF6s22eEr7NURi8/UH5GK5wcxjI0vGnOqerPkqPFL ULr3hOHBQ3T4oaokWINFAFbAj/SffbqFyGez8ZvhDTTqzfkyJmwn9swp9cPWoALK1Q FD1zI3PoVrefBsfpBhUf2tg2MiPdmOWHwp9B8fbM= To: predisclosure-applications@lists.xenproject.org, Ian Jackson References: <24079.13142.488220.975919@mariner.uk.xensource.com> <2acf6db8-5e06-79ee-6ec0-6b0023d0ae87@freedom.press> From: Mickael E Subject: Re: [Predisclosure-applications] SecureDrop / Freedom of the Press Foundation request Message-ID: <74d32e90-d8c0-e649-d609-1baedcdc6ffd@freedom.press> Date: Fri, 31 Jul 2020 10:56:34 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <2acf6db8-5e06-79ee-6ec0-6b0023d0ae87@freedom.press> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="YiFOA7bsdg7xMx4ZeVwhVncdoA2vXqpb1" X-Mailman-Approved-At: Mon, 10 Aug 2020 14:32:26 +0000 X-BeenThere: predisclosure-applications@lists.xenproject.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Applications for membership of Xen Security Advisories Pre-disclosure List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: "security@freedom.press" , Jennifer Helsby Errors-To: predisclosure-applications-bounces@lists.xenproject.org Sender: "Predisclosure-applications" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --YiFOA7bsdg7xMx4ZeVwhVncdoA2vXqpb1 Content-Type: multipart/mixed; boundary="MVIr67UU3OaXNRna7JqpcYLYVZjCL0Q9v"; protected-headers="v1" From: Mickael E To: predisclosure-applications@lists.xenproject.org, Ian Jackson Cc: Jennifer Helsby , "security@freedom.press" Message-ID: <74d32e90-d8c0-e649-d609-1baedcdc6ffd@freedom.press> Subject: Re: [Predisclosure-applications] SecureDrop / Freedom of the Press Foundation request References: <24079.13142.488220.975919@mariner.uk.xensource.com> <2acf6db8-5e06-79ee-6ec0-6b0023d0ae87@freedom.press> In-Reply-To: <2acf6db8-5e06-79ee-6ec0-6b0023d0ae87@freedom.press> --MVIr67UU3OaXNRna7JqpcYLYVZjCL0Q9v Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-US Hello, Based on the update provided by my colleague below (the SecureDrop Workstation is now in production use with several news organizations), do you need any further information to complete this application to the predisclosure list? Thank you again for your time and consideration, Mickael On 4/30/20 11:04 AM, Jennifer Helsby wrote: > On 1/3/20 7:28 AM, Ian Jackson wrote: > >> this software is not "released" in the appropriate sense. The page >> itself says: >> >> IMPORTANT: This project is in alpha, has known bugs and shortcomings= , >> and should not be used in production environments. >> >> and gives a link to a known set of existing security issues. It >> doesn't seem to us that you are in a position to immimently remove >> that caveat. When you make (or are about to make) a release that >> might be used in production (although perhaps only by advanced users >> who will tolerate bugs - a beta, you might say) we think you will >> qualify. > An update: this software is now in production use and the warning was > removed prior to the first production releases, so I'd like to resubmit= > SecureDrop / Freedom of the Press Foundation for consideration [0, 1]. > I've included the full application below for convenience. Please let me= > know if there is any other information I can provide. > > Thank you for your time, > > Jen > > [0] https://securedrop.org/news/piloting-securedrop-workstation-qubes-o= s/ > > [1] > https://github.com/freedomofpress/securedrop-workstation#production-and= -staging-environments > > ---- > > Full application: > > As background, SecureDrop is a whistleblowing platform used by dozens > of news organizations including the Washington Post and the New York > Times to accept and triage tips from journalistic sources. It is > currently supported by Freedom of the Press Foundation. > > The name of your organization: Freedom of the Press Foundation > > Domain name(s) which you use to provide Xen software/services: > https://securedrop.org, https://freedom.press=20 > > A brief description of why you fit the criteria: The SecureDrop Worksta= tion (https://github.com/freedomofpress/securedrop-workstation/) is a > product used by journalists at news organizations which relies on the > security and isolation properties of the Xen hypervisor (via QubesOS) > for opening potentially malicious documents submitted to the tipline in= > order to protect other submissions and sensitive information on > journalist workstations. > > If not all of your products/services use Xen, a list of (some of) > your products/services (or categories thereof) which do. > > Only the SecureDrop workstation is based on Xen via QubesOS > (https://qubes-os.org). > > Link(s) to current public web pages, belonging to your organisation, > for each of following pieces of information: > > Evidence of your status as a service/software provider:=20 > > Freedom of the Press Foundation develops and maintains several open > source projects such as SecureDrop and the SecureDrop workstation. You > can see the main text on https://securedrop.org and > https://freedom.press as evidence of this. In addition, news > organizations that wish to contract with us for paid support services > can do so here: https://securedrop.org/help/ > > If you are a public hosting provider, your public rates or how to get > a quote: N/A=20 > > If you are a software provider, how your software can be downloaded > or purchased: > > Download and install QubesOS (https://qubes-os.org) and install the > SecureDrop workstation following the documentation in the README at: > https://github.com/freedomofpress/securedrop-workstation/ > > If you are an open-source project, a mailing list archive and/or > version control repository, with active development: > https://github.com/freedomofpress/securedrop/ > https://github.com/freedomofpress/securedrop-workstation > Evidence of your status as a user/distributor of Xen: Statements about,= or descriptions of, your eligible production services or released softwa= re, from which it is immediately evident that they use Xen.=20 > > The workstation at https://github.com/freedomofpress/securedrop-worksta= tion requires the > use of Qubes/Xen.=20 > > Information about your handling of security problems:=20 > > Your invitation to members of the public, who discover security > problems with your products/services, to report them in confidence to y= ou;=20 > > We invite reports via: > > https://github.com/freedomofpress/securedrop-workstation/blob/master/SE= CURITY.md > https://github.com/freedomofpress/securedrop/blob/develop/SECURITY.md > > Specifically, the contact information (email addresses or other > contact instructions) which such a member of the public should use.=20 > > We receive security reports at: security@freedom.press=20 > We also have a public security bug bounty program at: > https://bugcrowd.com/freedomofpress=20 > We publish security advisories at: > https://securedrop.org/news/security-advisory/=20 > > We have read the policy and agree to abide by the terms for inclusion i= n this list, including the embargo.=20 > > The single (non-personal) email alias you wish added to > the predisclosure list. security@freedom.press=20 > --MVIr67UU3OaXNRna7JqpcYLYVZjCL0Q9v-- --YiFOA7bsdg7xMx4ZeVwhVncdoA2vXqpb1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzqUj7uYlqhq4j9rZSfPtifhZfvcFAl8kMSEACgkQSfPtifhZ fvfisQ//VqX7eQacrxus66sSW1cWcqRRD68xS0TQf3LEAdmZkBptAk5bkBsUEp0j zJmPClbvck1POXXbMvjEIaIsda3rYLLrLGPAgIZ9dU4HzLDYvbL5TfayB3QolK0s Gvbk+rYTyVFfObcWCzseXhmzeBB8GNk3VI9yDwWNAYA1Im5iqmA0uskeo44kA0YU nZ44RTccalRN0VRcpRhu9HyZFmJ3ZQ6HKyzoFgZidICq3tuxKWWmPnwecpPL8/Co H167r6baf9nmHOdGP0c2C8AAJ4KGSnnXQZbhAMXevSbDN6gZuhZZ40Uefxeo71ac vIfF7USMyutCwmaIb7dQPfr5vEL3U7dzgytGNohjQ6wjw1j/B7COtU2PiWvN1Ox0 r7SEjVKA/P+Yz4bdCEc/e9YezupUelwjNgF4WnxibAT90EZaD4XmZqEn53rIWJ4h HRHHRFP+sfVCmplbbEIszp00Iz9QHZQM3mvIidX76CmgFGajs6W+FoM2S9SLIdsz IfUVTZti246o+4YDA/kW7hBEf75ORSzPWqd0L0W3soyuNeY51jUkff9g2JAfGZg8 Sq+KrZLiwR/kqN4TPWJltSlthfnPeb0eBW/wEyy+/RkV6JFwC2Yi9jOPOxq6eDWB TUqeo/icqrgYohDv8jAG+TN6QodWpeRBX8nGvsKan4R05t2lD8w= =8gZI -----END PGP SIGNATURE----- --YiFOA7bsdg7xMx4ZeVwhVncdoA2vXqpb1--