Position description

Freedom of the Press Foundation (FPF), a nonprofit organization dedicated to protecting, defending, and empowering public-interest journalism, is hiring a cryptography engineer to join its SecureDrop development team. Reporting to the engineering manager for SecureDrop, this position is a unique opportunity to be part of a small, primarily remote, and internationally distributed team that is making it possible for newsrooms to manage their most sensitive submissions, from the next big story about abuse of government power to the exposure of corruption at the local level.

This position will work alongside the other five engineers on the team contributing to the project. You can learn more about our team and colleagues here. As a team, we strive to provide an equitable and collaborative environment. We have strong expectations of mutual respect, kindness, and understanding, and we build those expectations into our work through processes like blameless retrospectives. We share responsibilities for tasks like code review and release management, and support each other in learning and professional development goals.

About the project

SecureDrop is an open source whistleblower submission system used by journalists to communicate with sources. Through its hardened architecture and the use of the Tor network, it offers whistleblowers strong security and anonymity protections. Used by more than 70 news organizations worldwide, including The New York Times, The Washington Post, The Guardian, and Al Jazeera, SecureDrop is composed of a variety of components:

• SecureDrop Server: an anonymous whistleblowing system, deployed on hardened and Ansible-managed Ubuntu servers, hosting two web applications available as onion services over the Tor network.

• SecureDrop Workstation: a platform built on top of Qubes OS to make SecureDrop faster and simpler for journalists to use. It consists of an Electron application and other services that span across a suite of SaltStack-provisioned, task-specific virtual machines.

• SecureDrop Protocol: an end-to-end encrypted protocol designed specifically for whistleblowing systems, currently being implemented in Rust as the foundation for the next-generation SecureDrop Server.

The team is developing the next-generation SecureDrop Server, which provides end-to-end encryption while allowing for easier deployments compared with the current system. As part of the team, a successful candidate will have a key role in these efforts.

Responsibilities

• Designing and specifying extensions to the SecureDrop end-to-end encryption protocol for new security properties or features (e.g., implementing abuse-resistance features).

• Contributing to the formal modeling of the SecureDrop end-to-end encryption protocol.

• Implementing client-side encryption for journalist and source communication.

• Working with the rest of the team to integrate the protocol into the SecureDrop source and journalist workflows.

• Performing code reviews for contributions from the development team and the larger SecureDrop community.

• Testing the security properties of current and proposed functionality/architecture.

• Working with external collaborators — for example, UX consultants during development of new features, or academic researchers studying SecureDrop or other privacy-enhancing technologies.

• Taking turns on maintenance and release tasks with the rest of the team.

• Other responsibilities as assigned by the SecureDrop engineering manager.

Qualifications

Must have

• One-plus years of substantial Rust experience, in production, research, or open source projects.

• Either (a) five-plus years of full-time experience as a software engineer in a production environment, (b) a master's degree with three-plus years of full-time experience as a software engineer in a production environment, or (c) a Ph.D. with one-plus year of substantial coding experience, plus some industry or open source software development experience.

• Experience designing or implementing cryptographic protocols.

• Strong written communication skills for protocol specifications and technical documentation.

• Experience with Git, continuous integration, build automation, and test-driven development.

• Experience working as part of collaborative team processes, including routine peer review of code contributions.

• A passion for protecting the press freedom rights of all.

Preferred

Tell us in your cover letter if you have experience in one or more of the following areas:

• Familiarity with formal modeling tools (Tamarin, ProVerif, or similar).

• Interest in keeping up with the state-of-the-art in testing and verification techniques.

• Experience with academic or industry cryptography research.

• Experience with threat modeling, auditing, and vulnerability management.

• Experience implementing cryptography in web environments.

• Experience with Qubes, Tails, Tor, or other privacy/security technologies.

• Contributions to open source software, especially cryptographic libraries or protocol implementations.

• Experience developing technologies to support activist, journalist, or civil society communities.

Working with us

This is a full-time role with a competitive nonprofit salary in the range of $120,000-140,000, depending on experience. This position is available to all U.S.-based remote candidates. For more information on our full benefits package, please visit our website’s careers page. FPF does not discriminate on the basis of an individual’s sex, age, race, color, creed, national origin, alienage, religion, marital status, pregnancy, sexual or reproductive health decisions, sexual orientation or affectional preference, gender identity and expression, disability, genetic trait or predisposition, carrier status, citizenship, veteran or military status, and other personal characteristics protected by law.

How to apply

If you think you’d like to be a part of our team, please submit your résumé and a cover letter (no longer than one page).

After an initial application review, FPF’s hiring process involves a phone screening and a timed skills assessment. For candidates moving to the final stages, a teamwide panel and a final meeting with our CTO and executive director will follow.