SecureDrop

Whistleblower submission platform. Sources submit anonymously via Tor.

Built for journalismOpen source

Strong

https://securedrop.org · Reviewed 2026-04-02 · Editorial assessment by Mike Schneider — based on public security research and audits

What should journalists know about SecureDrop?

SecureDrop is how major investigations start. It is the gold standard for anonymous source communication — Tor-only access, end-to-end encryption, no metadata retention, air-gapped document viewing. Six independent security audits since launch, most recently by 7ASecurity in mid-2024, which found only one medium-severity and two low-severity issues across the entire codebase. The new SecureDrop Workstation (Qubes-based) entered open beta in July 2024 and is rolling out to all SecureDrop newsrooms. A fully rewritten journalist app is feature-complete and awaiting its security audit in early 2026. This is institutional infrastructure — it requires dedicated hardware, on-site servers, and IT staff. Not a tool for individuals. But for newsrooms doing sensitive work, nothing else comes close.

Best for

Receiving anonymous tips and documents. Running a secure tip line for investigative reporting. Any newsroom where source protection is non-negotiable.

Not for

Individual freelancers (requires two dedicated servers on-premises). Small teams without IT support. Quick back-and-forth communication (asynchronous by design — sources check back for replies).

Security & Privacy

Encryption in transit Yes

Data is scrambled while being sent to their servers

Encryption at rest Yes

Data is scrambled when stored on their servers

Data jurisdiction On-premises only. Documents stored on newsroom-controlled servers inside your building. No third-party cloud. Air-gapped viewing recommended via dedicated Secure Viewing Station. Because there is no third-party host, any government subpoena must go directly to the news organization — which can fight it on First Amendment grounds.

Where servers are located — affects which governments can request your data

Security rating Strong

SecureDrop is designed to know nothing about sources. No IP logging, no browser fingerprinting, no metadata retention. Documents are encrypted on submission with the newsroom's public key. The architecture assumes the server could be compromised and still protects source identity. Even printer tracking dots are addressed in operational guidance.

How to protect yourself:

Follow FPF's installation guide precisely — a 2017 audit found a vulnerability in the install process (fetching packages over HTTP without signature verification). Use air-gapped machines for viewing submissions. Train all journalists who access the system on operational security — Reality Winner was caught partly because The Intercept mishandled printer steganography dots, not because SecureDrop failed. Regularly update the SecureDrop installation (the Ubuntu 20.04-to-24.04 migration in 2025 was fully automated for most instances). Consider upgrading to SecureDrop Workstation for integrated Qubes-based isolation.

Purpose-built for source protection. Tor-only access, E2E encryption, no metadata retention, air-gapped viewing. Open-source with six completed security audits (most recent: 7ASecurity, mid-2024 — one medium, two low findings, all patched in v2.10.0). No known incidents of source exposure through SecureDrop itself. Backed by Freedom of the Press Foundation with $20.7M in assets and a dedicated security engineering team led by CTO Jennifer Helsby.

Who Owns This

Owner Freedom of the Press Foundation (501(c)(3) nonprofit)

Funding Donations, grants, and major gifts. Jack Dorsey's #startsmall donated $10M in January 2024 — the largest gift in FPF history. Open Technology Fund sponsors security audits. FPF reported $5.25M income and $20.7M net assets in 2024 IRS filings.

Business model Nonprofit. Software is free. FPF provides installation support, training, and priority support contracts. No revenue from the tool itself. FPF published a 2025–2026 strategic plan and is led by board president Rainey Reitman (succeeding Edward Snowden). Dr. Jennifer Helsby joined as CTO in 2025, replacing VP of Engineering Erik Möller after seven years.

Known issues

High operational burden — requires two dedicated servers, a firewall appliance, physical security, and ongoing IT maintenance. Not viable for freelancers or small outlets without technical staff. SecureDrop Workstation (Qubes-based) is still in open beta as of early 2026; the new journalist app rewrite is awaiting its security audit. The 2024 audit found the project meets only SLSA Level 1 because builds happen on developer workstations, not a dedicated build machine. GlobaLeaks is a lighter alternative for organizations that do not need Tor-only access — it supports clearnet and has been deployed in over 2,000 projects globally — but GlobaLeaks was not designed specifically for journalism and lacks SecureDrop's air-gapped viewing model.

Pricing

Free. Hardware costs ~$1,500–$2,500 for two dedicated servers and a firewall appliance. FPF offers pro-bono installation support for independent and nonprofit newsrooms (you cover travel). Priority support contracts available for larger organizations.

This is an editorial assessment based on publicly available information as of 2026-04-02, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.

Something wrong or outdated? Report it.