Freedom of the Press Foundation (FPF), a nonprofit organization dedicated to protecting and defending public interest journalism, is hiring (Sr.) Software Engineers to join the (fully-remote) SecureDrop team.
is an open-source
whistleblower submission system used by journalists to communicate with sources. Through its hardened architecture and the use of the Tor network
, it offers whistleblowers strong security and anonymity protections. SecureDrop is used by more than 70 news organizations worldwide, including The New York Times
, The Washington Post
, The Guardian
, and The Intercept
What we’re looking for
We are looking for additional engineers to work with us on SecureDrop’s two main components:
- SecureDrop Server: a whistleblowing system deployed on hardened Ansible-managed Ubuntu servers, hosting two Python web applications available as onion services over the Tor Network.
- SecureDrop Workstation (Beta): a platform built on top of Qubes OS to make SecureDrop faster and simpler for journalists to use. It consists of multiple Python GUI applications and services that span across a suite of SaltStack-provisioned, task-specific virtual machines. This is close to ready for wider production use as we near the end of our pilot program.
We’re especially looking for folks with experience in one or more of these areas:
- Python application development in security-sensitive domains
- Desktop GUI development (preferably using Qt or another Linux-compatible framework)
- Configuration management using Salt or Ansible
- Reproducible builds using Debian-based package management
Experience in any of these areas is good to have:
- Threat modeling, penetration testing, vulnerability management, and incident response
- Development or integration of cryptographic libraries
- Qubes, Tails, Tor, and other privacy/security technologies
- Use of Rust, for personal projects or real-world applications
- Creating design specifications and building consensus through clear verbal and written communication within a distributed engineering team
- Complex continuous integration pipelines, including use of nested virtualization
What you’ll be working on
Here are examples for the kinds of tasks the person in this role could be taking on in the first 6 months:
- Adding new features to SecureDrop Workstation, such as workflows for redacting and sanitizing documents
- Building out server API functionality to support SecureDrop Workstation development
- Performing code reviews for contributions from the development team and the larger SecureDrop community
- Performing security reviews of updated upstream code dependencies
- Testing the security properties of current and proposed functionality/architecture using quantitative threat models and other techniques
- Prototyping client-side encryption for journalist and source communication
- Working with security consultants during penetration testing and audits of SecureDrop Server and Workstation
What it’s like to work with us
This is a unique opportunity to be part of a small, fully-remote, and internationally-distributed team that is making it possible for newsrooms to manage their most sensitive submissions, from the next big story about abuse of government power to the exposure of corruption at the local level.
In addition to fellows and interns, four engineers are currently working on SecureDrop full-time. You can view our team and colleagues at https://freedom.press/about/staff/
If you think you’d like to be a part of our team, please send a short cover letter and your resume to email@example.com. Women, non-binary individuals, and minorities are especially encouraged to apply.
This is a full-time role at a competitive non-profit salary. For US employees: FPF provides health, dental and vision insurance (via Aetna); 20 days of personal time off and 13 holidays; up to 12 weeks of paid paternity/maternity leave; and a 401(k) program. Freedom of the Press Foundation matches your 401(k) contributions dollar for dollar, up to 4 percent of your gross salary.