Now that Whonix is a decade old and widely respected, stable, and has an increasing user-base, one major issue is outstanding - an official security audit.
In light of recent security audits undertaken by OTF of OnionShare and the like, it is worth reaching out to see if they would consider Whonix as a suitable audit candidate.
The Whonix platform explicitly fits the bill of their Red Team Lab goals:
The Red Team Lab is one of several in-kind services offered by OTF. Through the Red Team Lab, OTF strives to accomplish the following:
- To strengthen the security of open-source internet freedom software by providing auditing services. The lab offers third-party services focused on improving the software security of projects that advance OTF’s internet freedom goals. Audits ensure that the code, data, and people behind the tools have what they need to create a safer experience for people experiencing repressive information controls online.
- To engage in public safety audits. This allows the lab to audit and reverse-engineer potential malicious apps deployed by governments or state-sponsored actors, which may be putting users at risk through a grave privacy and security overreach.
The lab will prioritize supporting the following projects:
- Internet freedom efforts, tools, and software currently or previously supported by OTF
- Efforts that fit within OTF’s remit, but for various reasons, may not be current or previous recipients of OTF funding
Projects the Lab seeks to support
Some examples of applications the Red Team Lab will review are the following:
- An Internet freedom project seeking a security audit of their software
- An Internet freedom project looking for short-term support for remediation of known vulnerabilities
- An internet freedom project looking for a security architecture and design review in the early stages of a project from a trusted and capable third party
The ideal applicant is a software developer, project lead, systems administrator, or an information security technologist who can speak on behalf of a software project that has the ability to adequately respond to and maintain the lab’s output after the support is concluded.
In other words, Whonix would be a perfect candidate. Why not make contact?