How to (not) contact OpenWhisperSystems about security issues

Posted on by

Assuming you found a security issue in OpenWhisperSystems you consider worth to report privately, how do you do so? Check the whispersystems.org website, you won’t find an e-mail address other than one to apply for a job.

Remember, there are whois records. Checking whois records for whispersystems.org, I find it’s registered by “Coral Sea Enterprises LLC” in Canary Islands. Searching for this term it seems this a fake identity used by Moxie to register his domains. Using fake identities might be somewhat suitable for personal domains, but not for a company selling a security product to millions of customers.

The only way I found to contact OpenWhisperSystems is the @whispersystems Twitter account. This account is not a verified Twitter account, but widely known to be used by OpenWhisperSystems. So I asked:

@whispersystems what’s the desired way to report security issues in Signal on Android?

The only answer I receive, is not from @whispersystems, but from @OWS411, which seems to be some support account used by OpenWhisperSystems:

support@whispersystems.org. Feel free to refer and cite lines in the source code: https://github.com/WhisperSystems/

No information on encryption or alike, so my immediate response is:

@OWS411 @whispersystems encryption? smime/pgp?

There was no response to this message yet.

So at least I got a mail address. No e2e-encryption, but since we have transport encryption for e-mails, that’s not too bad. Well, as long as the e-Mail-Server hosting the e-Mails is trustworthy. Let’s check the MX records of whispersystems.org to verify that — wait, they are using Google Apps for Business to handle their e-Mails.

OK, next try. Why don’t we contact Moxie directly? He is using encryption for his personal e-Mails, right? Seems he is not: The only publicly available PGP key I found is a 1024 bit RSA key from 2007. It is not signed by a relevant number of people – which might be because Moxie is not Moxie’s real name.

I conclude there is no way to contact OpenWhisperSystems for responsible disclosure. And this is the company we trust for a crypto messenger and Snowden suggests to use.