Assuming you found a security issue in OpenWhisperSystems you consider worth to report privately, how do you do so? Check the whispersystems.org website, you won’t find an e-mail address other than one to apply for a job.
Remember, there are whois records. Checking whois records for whispersystems.org, I find it’s registered by “Coral Sea Enterprises LLC” in Canary Islands. Searching for this term it seems this a fake identity used by Moxie to register his domains. Using fake identities might be somewhat suitable for personal domains, but not for a company selling a security product to millions of customers.
The only way I found to contact OpenWhisperSystems is the @whispersystems Twitter account. This account is not a verified Twitter account, but widely known to be used by OpenWhisperSystems. So I asked:
@whispersystems what’s the desired way to report security issues in Signal on Android?
The only answer I receive, is not from @whispersystems, but from @OWS411, which seems to be some support account used by OpenWhisperSystems:
email@example.com. Feel free to refer and cite lines in the source code: https://github.com/WhisperSystems/
No information on encryption or alike, so my immediate response is:
@OWS411 @whispersystems encryption? smime/pgp?
There was no response to this message yet.
So at least I got a mail address. No e2e-encryption, but since we have transport encryption for e-mails, that’s not too bad. Well, as long as the e-Mail-Server hosting the e-Mails is trustworthy. Let’s check the MX records of whispersystems.org to verify that — wait, they are using Google Apps for Business to handle their e-Mails.
OK, next try. Why don’t we contact Moxie directly? He is using encryption for his personal e-Mails, right? Seems he is not: The only publicly available PGP key I found is a 1024 bit RSA key from 2007. It is not signed by a relevant number of people – which might be because Moxie is not Moxie’s real name.
I conclude there is no way to contact OpenWhisperSystems for responsible disclosure. And this is the company we trust for a crypto messenger and Snowden suggests to use.