[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Predisclosure-applications] SecureDrop / Freedom of the Press Foundation request

  • To: predisclosure-applications@xxxxxxxxxxxxxxxxxxxx, Ian Jackson <ian.jackson@xxxxxxxxxx>
  • From: Mickael E <mickael@freedom.press>
  • Date: Fri, 31 Jul 2020 10:56:34 -0400
  • Cc: "security@freedom.press" <security@freedom.press>, Jennifer Helsby <jen@freedom.press>
  • Delivery-date: Mon, 10 Aug 2020 14:32:28 +0000
  • List-id: Applications for membership of Xen Security Advisories Pre-disclosure List <predisclosure-applications.lists.xenproject.org>


Based on the update provided by my colleague below (the SecureDrop
Workstation is now in production use with several news organizations),
do you need any further information to complete this application to the
predisclosure list?

Thank you again for your time and consideration,


On 4/30/20 11:04 AM, Jennifer Helsby wrote:
> On 1/3/20 7:28 AM, Ian Jackson wrote:
>> this software is not "released" in the appropriate sense.  The page
>> itself says:
>>   IMPORTANT: This project is in alpha, has known bugs and shortcomings,
>>   and should not be used in production environments.
>> and gives a link to a known set of existing security issues.  It
>> doesn't seem to us that you are in a position to immimently remove
>> that caveat.  When you make (or are about to make) a release that
>> might be used in production (although perhaps only by advanced users
>> who will tolerate bugs - a beta, you might say) we think you will
>> qualify.
> An update: this software is now in production use and the warning was
> removed prior to the first production releases, so I'd like to resubmit
> SecureDrop / Freedom of the Press Foundation for consideration [0, 1].
> I've included the full application below for convenience. Please let me
> know if there is any other information I can provide.
> Thank you for your time,
> Jen
> [0] https://securedrop.org/news/piloting-securedrop-workstation-qubes-os/
> [1]
> https://github.com/freedomofpress/securedrop-workstation#production-and-staging-environments
> ----
> Full application:
> As background, SecureDrop is a whistleblowing platform used by dozens
> of news organizations including the Washington Post and the New York
> Times to accept and triage tips from journalistic sources. It is
> currently supported by Freedom of the Press Foundation.
> The name of your organization: Freedom of the Press Foundation
> Domain name(s) which you use to provide Xen software/services:
> https://securedrop.org, https://freedom.press 
> A brief description of why you fit the criteria: The SecureDrop Workstation 
> (https://github.com/freedomofpress/securedrop-workstation/) is a
> product used by journalists at news organizations which relies on the
> security and isolation properties of the Xen hypervisor (via QubesOS)
> for opening potentially malicious documents submitted to the tipline in
> order to protect other submissions and sensitive information on
> journalist workstations.
> If not all of your products/services use Xen, a list of (some of)
> your products/services (or categories thereof) which do.
> Only the SecureDrop workstation is based on Xen via QubesOS
> (https://qubes-os.org).
> Link(s) to current public web pages, belonging to your organisation,
> for each of following pieces of information:
> Evidence of your status as a service/software provider: 
> Freedom of the Press Foundation develops and maintains several open
> source projects such as SecureDrop and the SecureDrop workstation. You
> can see the main text on https://securedrop.org and
> https://freedom.press as evidence of this. In addition, news
> organizations that wish to contract with us for paid support services
> can do so here: https://securedrop.org/help/
> If you are a public hosting provider, your public rates or how to get
> a quote: N/A 
> If you are a software provider, how your software can be downloaded
> or purchased:
> Download and install QubesOS (https://qubes-os.org) and install the
> SecureDrop workstation following the documentation in the README at:
> https://github.com/freedomofpress/securedrop-workstation/
> If you are an open-source project, a mailing list archive and/or
> version control repository, with active development:
> https://github.com/freedomofpress/securedrop/
> https://github.com/freedomofpress/securedrop-workstation
> Evidence of your status as a user/distributor of Xen: Statements about, or 
> descriptions of, your eligible production services or released software, from 
> which it is immediately evident that they use Xen. 
> The workstation at https://github.com/freedomofpress/securedrop-workstation 
> requires the
> use of Qubes/Xen. 
> Information about your handling of security problems: 
> Your invitation to members of the public, who discover security
> problems with your products/services, to report them in confidence to you; 
> We invite reports via:
> https://github.com/freedomofpress/securedrop-workstation/blob/master/SECURITY.md
> https://github.com/freedomofpress/securedrop/blob/develop/SECURITY.md
> Specifically, the contact information (email addresses or other
> contact instructions) which such a member of the public should use. 
> We receive security reports at: security@freedom.press 
> We also have a public security bug bounty program at:
> https://bugcrowd.com/freedomofpress 
> We publish security advisories at:
> https://securedrop.org/news/security-advisory/ 
> We have read the policy and agree to abide by the terms for inclusion in this 
> list, including the embargo. 
> The single (non-personal) email alias you wish added to
> the predisclosure list. security@freedom.press 

Attachment: signature.asc
Description: OpenPGP digital signature



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.