[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Predisclosure-applications] SecureDrop / Freedom of the Press Foundation request


  • To: Ian Jackson <ian.jackson@xxxxxxxxxx>
  • From: Jennifer Helsby <jen@freedom.press>
  • Date: Thu, 30 Apr 2020 11:04:43 -0400
  • Autocrypt: addr=jen@freedom.press; prefer-encrypt=mutual; keydata= mQINBFeRulQBEADjusVDkRxz1fT3rYRfj0Ktlvh3SeqKC3OjUFDI9/morqPDXCxCVm9dWvRJ qQnGWix+7cBwp2d96CoJrchxXojNLPgZ57C0EtXNu1i3SMYrppSD6hT/ZdGlHUONgVO4rfV5 gOvKHPhiWf+omD72VtfiTV3W2KG2l6v/IRP+kjcKj09A9PqlO49eK95cP3ErzbnGWR9UNA0r RDgf9nX0RlQXgTTY9dMCdD2HOUPXVUnetenokvuBC3B42l2LkTx76poKcyxf3LsAY6D7e4GU NXhsW65Maj0KM49dtDcMh7bP7fLYcxBj3mx+Y5xpzgzqUqYjEV6ytxLCTYdEgV3W3+9pPzDH UVk0FTZcfpRVJEF1a0yIkO9lZzxF3KojW8ZV1srLpeXiyhzaKqR326lx+ek9gKktfwiioWKb 5IWbGGCgncXP9QS4xkIZqJufY4cVULTyDC4/AG4Rxlp1+10OzoMhI4CAyq0tVYXtfpN4Qagw ZJstqZWFu/1W7EVr1cU4TMYkMwh95mOZi5rkq8gr449SzGC8xYL57BBFss3PTwmY/RKVQcXo DByOe/uVhDj7KvuEUh/bh4NOhEGIs7m647PTaKrmm9l6wvADhUQrvIyE39Jw9WwE/vznr4s6 kLjFv7zGE7jh9WHkC7mcf+9dqR80XjoKaOqHWtxGoxcNPa0VJQARAQABtCNKZW5uaWZlciBI ZWxzYnkgPGplbkBmcmVlZG9tLnByZXNzPokCNwQTAQoAIQUCV5G6VAIbAQULCQgHAwUVCgkI CwUWAgMBAAIeAQIXgAAKCRDaBbfFKrrzNEKRD/9u1EmsircQzCy92F81aX2Ptu9II40Z1pbA 4qryP8tQTM4biMy1ayjpiFjovYZa+vrZ0hVTSuin5ZQ0dI73tBCi5FSycsowXALvEIeApuVX JKaC/7gnO4QNFhDHiW+M4kORllFgtex6IuSOzcUIT+oqGHS8eB8cl1N9lLOMU5/PCo50IoU9 WrrmF0f9EKhlkD5snDQy20gc+J+ukUg7cNpSPVaFAXZs/0CIvvuMv3tp2/VqlF5x1xW7Q8I5 JUAnPSyQ4pWOlnfbEwsIjyagDicV940iOxTL8vq92vKLFOw/EmNYUs89ebH3WNfhYAWiMtOL o0hgc1qNsCPdovASZ0skBGMzmT+Nvfgb4VYuLMl5/tm9etgcdv+hb8Oo6zxUwQLETKiPiWkZ tzUEczMAw8pz0j4h2Y2K6+ryXJTbqcwwZY2DoYwrENWkd+TdPHYgvinPplmiHH7wcl7oKoy5 oGw7knwkgB7jO7F2R7qUhPg1I0E+fiXCwStTJ0yeXqoNvKwXW22460Tjs3vl21hZo6sr8hF8 2xZdfbzprwejJ2T1pJbya6YT+nv4fH1p1wc8ooeOgWKjVWtCig6wojSiKQ4AjKa4RVL9/8gX q+5u7NSxUxOMqfTNWbxR3GDBZjxBA/o1XLIxnRAlfwD8c3UrhRC77P6HrP5wSYZF+/i5ZJds O7kCDQRXkbr/ARAAl+R3VpHh3Q5v6Bf8ZP6zLS693A0AseJPPo4wwCOfCvRZWLIVgrdkHuK3 vSjafLSsL1m67FUb6AXHmE4YWEp/gr0mj25JSSMCegXfh+wbyhKzmzZL6uiUKuJug8uIBZRp uDTAfV34ssZ0CL8aHsntb/RFydANimOV+qLwV/HS4NEPVicnmYkyOhvJ2xZq7VHiTm6lwjyZ KxcFeOvWIrrKmc4fHQYyiEExH7xaBTDOSmlXTY5Ae5waA1/tS5SV3UixoRiHb6giUusIJsDV 4PHnyAYiuBlk7tjP9yAHXyvGPA6XO9TBWuycRqgZ1Tm06prB460RpNEd9EY4Vr8Bugs6YMbu ldxJwOL5n46l0PdaMhrBNyJPwt4p5cxcm8f4kt8QvLh/t/Jh2oU2gaNuIoQXl1NUBdwcMoDb owuEIUFk1IecQt8v38INFHWJ0r7VrJzreG0OWcUSwxGPe4FOkdmwNgmRCCLC74ThGegXVJNw njqk3Ean8bPcOROmMyEHEJ8j+wxkTMfQtCcw4CQlFDcNjMrGV6iBncI0y2Fjg5TvkpC0rqSQ o+PgfcSppXIY9TedfjphhVihM7isMg9icjEs++kSvaM5ajzHbOEZe0J3lAv5L9bxZR38zzF7 H8ofFQRPG6zzIE+X/XRBl5pIRz8ERQaSuwyquE5HlFWXjX7R5L0AEQEAAYkCJQQYAQoADwIb DAUCXTdcpgUJC0k8IwAKCRDaBbfFKrrzNGnHD/95czk6B5qeR8+KrR5AVrSUk7tBorrXK4ze 0Gr30cAPmLtBjsWBbPuHZFXpzijCoVrRCNBmlMb0p7PJudh90Voi+Ggse80WeXsYu2bjDCFv cTmaFXgA8gGZ0pnMOnz8ltc7tsZrPiQw457zQO97v18h02Ka5JkZNo/BbfN5fRuVU3T14GR4 ELg4tRFVACejyjWsn+pwN5w2s0cbu3KUBvySoFSo4CATmIiXCmoUtHAc9/pBebzSo40dxcSY v3kpCx/F4OXpai2YECeUXA6TlOlVhVm7joX00FThQgi728h3rdit4CXSlaz/I4WxXvSzgDe3 kiFxN+/2w2ZQafcjdkuuiQ2yeJPQds/SvNPbbvEnBM9aF2Rqt/IYKsGKPg8QuEvOFfhyzFa1 7ybngTGaLta4MNj1FOWSEvjxLTVXiuRBamM9IL0wmfec5KUhJU/IN/+URUeW0W+lQ6m1+M4s D2mx0hvEYe8lx3o4lks6Bbm/dWqnUwdsA2cWn0R9dnMt7b8b997XaRXy528eQ3XnBEs+sMVm pX4q1eiibur6OZ2zM8au29Naea5+1Y0AgJQRV8eYVwgYmRdjHMyVDCJsdnDp8C+1iZReZclu aKSWP2olYdn5v0OclneI5iN67mANUY+STQS5H/TNtQyhbHkGnszyzkjKygVIgWw/J9GJ/5w3 SLkCDQRXkbqoARAAvguQQmy0DyZOmZXfFYNfMm95bPPZOUpvvjBARrh2IGPlMl3xtserNMje lFYkkRRsACtxqRxq3TTSJpKI0vvpNLLpqN6shwNUQ3qz2yIAvW+aEKVi7HLOWv71JSQVbmlk Zk3UghGP/0iIfurB8m8QmP97oOdsWBiRTr9Wp5tYUjUz/QlNOt3sIYTBE2wnu2f/ivpyRTUm LuNr0rbvSsCu/i1CPul9vj01YOXBpIUeQlCMK1uyOwPvEOcaRxeYICOVginEY6UDUMNRJZth M8+vEVAdWCqbI1CLWF6PbWshhhyqbuVXmZWOPcVzQfW7k+bsysaAteTu8QFCJT9Y5wG8QM+D 0IS+I7ChKmKN2VrAlHr4irKwvxhWVOIXaIZr1GLw8bGWUTwjZOi/R+8V+WCRCwlRcR72Kklm 8JyBCGoeA9ML+tS9AHl/c9JIdlsTvGMsMaMPV41rhta8jx0z+OlpnytRbcmtUFYrfLGfOScs +v2BFrYr45DZVB2vvooRBRF9qPq8EsSFHauxoibWjamc0mHH4DEG0yVwuHh4bJLi3pUAAl1d +p8YyJoQhPjRrrNSjWJBJw7YbgH785EeU2JwMtGohhMDNxMwt61fYxS7Nj2yjjyD9fBJLOBQ 5JztwT1AdAgWIjqRHpaPt5rxWUj8QuCIbrIK0B6sMLfYqQHA7v0AEQEAAYkERAQYAQoADwIb AgUCXTdcvAUJC0k8kAIpwV0gBBkBCgAGBQJXkbqoAAoJELB+gGVqzZUBKvkP/Rxa9NSIlw/l 6tRfaymO2jynqJe850gSGWBVnxVWiNGw8PhlqfStJdROIwOQ77axdpRVD3b28QL6Xy1hFD2S 9QpZ+4HnnNrLHKvkVOe3+9+0RBNEpNpnloeMqT3QqEqEP4U8EAOXTbzI6lZSAOJk4mO/E8rL IBq9MzrHmOuwbk6Zg7qudHNWuhCT4ab01ue2CR5tSZf0eQwVsRhVz0ZIRRceFMHtNf2hUHOx Z8HtaKnQXqRTQXV+IA5vPnBfwFih+ZvRCvsqNFOrFk/oU3KhQ2Xy3bO4T4okiMXf6ax1+cEN 92j9h8Z5KFDWl7IEtWYLDRZNv10IWpN7T0USDthreD9SlP6iK91Vie+f22lF8o6/jbPL+B/r KIvBCwfz6AlKNGlOyMvCCTk7dAZSiq55CNSLgoRh/r3WxgfAJ3A0ivTclwnIqFuskHdRB8we UaPdZ0fEHbwuMW4K5SoDzRVaadZqzOcwlugCasqYQ3ZmQQBkUcIxc1tJWnyDm252lFiPmxmA 3HZDbBZ58fIQ/SkDyIjHikfUhcqVsxXpFAKRxkIsNfTzCueWg1boBM1scmOPrv7nTF8MNLeD 7/ID1IqRXjL8+ea0cTo0qV4nCK3VrlKdv+clipHxXc2a7yLIelVkrwMEFgD9cFAt3tNs1j6O Pvs3dLypqg7h9miSrsBJJYOeCRDaBbfFKrrzNF1FD/9iBieWFr8lRd3XFFfHwCiPUCoEGCkl u3edHj2CRjkwTntdkquGlpNwF+nz1IpWKgCkRfKIBIDmwrCZLTJ9YfTV1aS/8HLS5V78hbMl VpcsEaPVf9HblGjcIIf0QiIdLe9abw7wGrJkZXEGU4ebDP++eVijEgTQyVDCUPe4FpvPZ2Ql jOCwjQ1esCgXyx5trWlKICd/qLQaJEkZlV1oytfNFAdhHPket3SsD9X6nis772mC6AIDTpNs tLc36GVPGJu8aXQTy+WC+ZCaaCcU1ieEQ74Hrb7IjwVh7WIhkgn4+aDx91YDWPYNIPhAuPAX uAI9gFtm67+Z3qaYLkVaTJEg0BRkmGVS3W+JpycMl2aYtNBL3XACx+83qyNdqlg3FuI3FJSL KI/CA+tCNlTvjLIyshj6q2BUUS4XoWMigQ/79wqM1RZ1ZFjTk4LRWd3GJI5KWSSdNb2MqL7l MZZRpQYdJTB/ndc84zVk6M8qoSJtz5o3GCrniBabmrrWqcxcfxJv201c7GIo4mSbLiOgWYdy sx1AFaR5F98fdv2mNE6CrMgtM1wV4oRu0P3rD1/RrZ9T/xhiUc2dg3rgQMUCJMVibNVurRFN oCf1T0JsTTrO8A/xuyesgTXQFMcL21LYSr1JBSOCZbrAegVcp96Z8Ip3YBARPXEkgbFk0kjW 6FGVFg==
  • Cc: predisclosure-applications@xxxxxxxxxxxxxxxxxxxx, "security@freedom.press" <security@freedom.press>
  • Delivery-date: Mon, 04 May 2020 10:03:38 +0000
  • List-id: Applications for membership of Xen Security Advisories Pre-disclosure List <predisclosure-applications.lists.xenproject.org>

On 1/3/20 7:28 AM, Ian Jackson wrote:

> this software is not "released" in the appropriate sense.  The page
> itself says:
>
>   IMPORTANT: This project is in alpha, has known bugs and shortcomings,
>   and should not be used in production environments.
>
> and gives a link to a known set of existing security issues.  It
> doesn't seem to us that you are in a position to immimently remove
> that caveat.  When you make (or are about to make) a release that
> might be used in production (although perhaps only by advanced users
> who will tolerate bugs - a beta, you might say) we think you will
> qualify.

An update: this software is now in production use and the warning was
removed prior to the first production releases, so I'd like to resubmit
SecureDrop / Freedom of the Press Foundation for consideration [0, 1].
I've included the full application below for convenience. Please let me
know if there is any other information I can provide.

Thank you for your time,

Jen

[0] https://securedrop.org/news/piloting-securedrop-workstation-qubes-os/

[1]
https://github.com/freedomofpress/securedrop-workstation#production-and-staging-environments

----

Full application:

As background, SecureDrop is a whistleblowing platform used by dozens
of news organizations including the Washington Post and the New York
Times to accept and triage tips from journalistic sources. It is
currently supported by Freedom of the Press Foundation.

The name of your organization: Freedom of the Press Foundation

Domain name(s) which you use to provide Xen software/services:
https://securedrop.org, https://freedom.press 

A brief description of why you fit the criteria: The SecureDrop Workstation 
(https://github.com/freedomofpress/securedrop-workstation/) is a
product used by journalists at news organizations which relies on the
security and isolation properties of the Xen hypervisor (via QubesOS)
for opening potentially malicious documents submitted to the tipline in
order to protect other submissions and sensitive information on
journalist workstations.

If not all of your products/services use Xen, a list of (some of)
your products/services (or categories thereof) which do.

Only the SecureDrop workstation is based on Xen via QubesOS
(https://qubes-os.org).

Link(s) to current public web pages, belonging to your organisation,
for each of following pieces of information:

Evidence of your status as a service/software provider: 

Freedom of the Press Foundation develops and maintains several open
source projects such as SecureDrop and the SecureDrop workstation. You
can see the main text on https://securedrop.org and
https://freedom.press as evidence of this. In addition, news
organizations that wish to contract with us for paid support services
can do so here: https://securedrop.org/help/

If you are a public hosting provider, your public rates or how to get
a quote: N/A 

If you are a software provider, how your software can be downloaded
or purchased:

Download and install QubesOS (https://qubes-os.org) and install the
SecureDrop workstation following the documentation in the README at:
https://github.com/freedomofpress/securedrop-workstation/

If you are an open-source project, a mailing list archive and/or
version control repository, with active development:
https://github.com/freedomofpress/securedrop/
https://github.com/freedomofpress/securedrop-workstation
Evidence of your status as a user/distributor of Xen: Statements about, or 
descriptions of, your eligible production services or released software, from 
which it is immediately evident that they use Xen. 

The workstation at https://github.com/freedomofpress/securedrop-workstation 
requires the
use of Qubes/Xen. 

Information about your handling of security problems: 

Your invitation to members of the public, who discover security
problems with your products/services, to report them in confidence to you; 

We invite reports via:

https://github.com/freedomofpress/securedrop-workstation/blob/master/SECURITY.md
https://github.com/freedomofpress/securedrop/blob/develop/SECURITY.md

Specifically, the contact information (email addresses or other
contact instructions) which such a member of the public should use. 

We receive security reports at: security@freedom.press 
We also have a public security bug bounty program at:
https://bugcrowd.com/freedomofpress 
We publish security advisories at:
https://securedrop.org/news/security-advisory/ 

We have read the policy and agree to abide by the terms for inclusion in this 
list, including the embargo. 

The single (non-personal) email alias you wish added to
the predisclosure list. security@freedom.press 

-- 
Jennifer Helsby, Ph.D.
SecureDrop Lead Developer
Freedom of the Press Foundation
<jen@freedom.press>
GnuPG: F48E CC56 4980 83F1 80DF F943 DA05 B7C5 2ABA F334
Twitter: @redshiftzero
Github: https://github.com/redshiftzero


Attachment: signature.asc
Description: OpenPGP digital signature


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.