https://github.com/scidsg/hushline
Anonymous, end-to-end encrypted tip lines for organizations and individuals.
https://github.com/scidsg/hushline
anonymity end-to-end-encryption flask human-rights journalism nonprofit pgp privacy python secure-messaging security source-protection tipline tor whistleblowing
Last synced: 22 days ago
JSON representation
Anonymous, end-to-end encrypted tip lines for organizations and individuals.
- Host: GitHub
- URL: https://github.com/scidsg/hushline
- Owner: scidsg
- License: agpl-3.0
- Created: 2023-03-28T01:06:05.000Z (about 3 years ago)
- Default Branch: main
- Last Pushed: 2026-05-09T17:05:58.000Z (25 days ago)
- Last Synced: 2026-05-09T18:31:29.465Z (25 days ago)
- Topics: anonymity, end-to-end-encryption, flask, human-rights, journalism, nonprofit, pgp, privacy, python, secure-messaging, security, source-protection, tipline, tor, whistleblowing
- Language: Python
- Homepage: https://hushline.app
- Size: 106 MB
- Stars: 127
- Watchers: 2
- Forks: 24
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE
- Security: SECURITY.md
- Agents: AGENTS.md
Awesome Lists containing this project
README
# Hush Line
[Hush Line](https://hushline.app) is an open source whistleblower platform for secure, anonymous, one-way disclosures to journalists, lawyers, and other trusted recipients.
Hosted service:
Start here:
[](https://github.com/scidsg/hushline/actions/workflows/lighthouse.yml)
[](https://github.com/scidsg/hushline/actions/workflows/lighthouse-performance.yml)
[](https://github.com/scidsg/hushline/actions/workflows/tests.yml)
[](https://github.com/scidsg/hushline/actions/workflows/gdpr-compliance.yml)
[](https://github.com/scidsg/hushline/actions/workflows/ccpa-compliance.yml)
[](https://github.com/scidsg/hushline/actions/workflows/migration-smoke.yml)
[](https://github.com/scidsg/hushline/actions/workflows/e2ee-privacy-regressions.yml)
[](https://github.com/scidsg/hushline/actions/workflows/workflow-security.yml)
[](https://github.com/scidsg/hushline/actions/workflows/dependency-security-audit.yml)
[](https://github.com/scidsg/hushline/actions/workflows/w3c-validators.yml)
[](https://github.com/scidsg/hushline/actions/workflows/public-record-link-check.yml)
[](https://github.com/scidsg/hushline-screenshots/tree/main/releases/latest)
## Why Hush Line
Hush Line is built for safety-critical reporting workflows where trust, anonymity, and usability all matter. The project design priorities are:
- Usability of the software
- Authenticity of the receiver
- Plausible deniability of the whistleblower
- Availability of the system
- Anonymity of the whistleblower
- Confidentiality and integrity of disclosures
## Core Capabilities
| Area | What Hush Line Provides |
| ---------------------- | -------------------------------------------------------------------------------------- |
| Anonymous submissions | No submitter account required for sending disclosures |
| Encryption | End-to-end encryption workflow with recipient PGP keys, plus server-side fallback path |
| Receiver trust | Verified account workflow and trusted directory UX |
| Account security | Password authentication with optional TOTP 2FA |
| Privacy access | Tor onion support and privacy-preserving defaults |
| Communication workflow | Message status management, one-way replies, and optional email forwarding modes |
| Org customization | Branding controls, onboarding guidance, and configurable profile fields |
| Operational controls | Strong CI checks, migration compatibility testing, and workflow security validation |
## Quickstart (Local)
### 1) Clone and start
```sh
git clone https://github.com/scidsg/hushline.git
cd hushline
make serve
```
Open .
If you only want to start the current stack without first tearing it down, you can still use `docker compose up` or `make run`.
If you want a slower, guided setup for a brand-new machine, use the AI-ready prompt in [`docs/LOCAL-CONTRIBUTOR-ONBOARDING-PROMPT.md`](./docs/LOCAL-CONTRIBUTOR-ONBOARDING-PROMPT.md). It walks a new contributor through installing Git, Make, Docker, cloning the repo, starting the stack, and trying the first three local flows.
### 2) Common commands
| Command | Purpose | When to use |
| ----------------------------------------- | ---------------------------------------- | ------------------------------------------------- |
| `make serve` | Tear down and rebuild the local stack | Starting fresh or recovering from Docker drift |
| `make lint` | Run formatting/lint/type checks | Before opening a PR or after code changes |
| `make test` | Run full test suite with coverage output | Before opening a PR and after behavior changes |
| `make fix` | Apply formatting/lint autofixes | When lint reports fixable formatting/style issues |
| `make run` | Start the current local stack | Quick restarts when you do not need a full reset |
| `make run-full` | Run Stripe-enabled development stack | Testing paid-tier or Stripe-related flows |
| `docker compose down -v --remove-orphans` | Reset local Docker state | Clearing containers, volumes, and orphaned state |
## Security and Privacy
- Threat model: [`docs/THREAT-MODEL.md`](./docs/THREAT-MODEL.md)
- Security policy and vulnerability reporting: [`SECURITY.md`](./SECURITY.md)
- Privacy policy: [`docs/PRIVACY.md`](./docs/PRIVACY.md)
Report security issues through GitHub Security Advisories when possible, or via: .
## Agentic Coding Policy
Hush Line uses a risk-based model for agentic software development. Canonical policy: [`docs/AGENTIC-CODE-POLICY.md`](./docs/AGENTIC-CODE-POLICY.md).
Quick summary:
- Human-first is required for high-risk surfaces: funding work, databases/migrations, auth, payments, CI/CD, production infrastructure, and security/privacy boundary changes.
- AI-first is allowed for low-risk work such as scoped docs/process edits and isolated low-risk implementation tasks with clear rollback.
- If scope expands into high-risk areas (for example DB/auth/env/security), ownership immediately escalates to human-first.
- Ownership mode is tracked (`human-first` vs `ai-first`) with a quarterly operating target of roughly 70/30.
- Approved coding model policy is defined in [`AGENTS.md`](./AGENTS.md). As of 2026-02-13, the minimum approved coding model is `gpt-5.4 high`.
## Contributor Checklist
Before opening a PR:
1. Read and follow [`AGENTS.md`](./AGENTS.md) (repository policy and safety-critical rules).
2. Check open Dependabot updates first, then handle applicable dependency/security updates.
3. Keep diffs minimal and behavior-preserving unless a behavior change is explicitly intended.
4. Add or update tests for every behavior change.
5. Run required checks locally:
- `make lint`
- `make test`
6. If behavior-critical paths changed, run CI-style coverage validation:
```sh
docker compose run --rm app poetry run pytest --cov hushline --cov-report term-missing -q --skip-local-only
```
7. Run dependency vulnerability audits:
```sh
make audit-python
make audit-node-runtime
```
When frontend/runtime dependencies change, also run:
```sh
make audit-node-full
```
If local audit commands are blocked by network/tooling availability, document that in the PR and wait for a passing `Dependency Security Audit` workflow before merge.
8. Ensure commits are cryptographically signed and verifiable on GitHub.
## Documentation Map
- Docs index: [`docs/README.md`](./docs/README.md)
- Local contributor onboarding prompt: [`docs/LOCAL-CONTRIBUTOR-ONBOARDING-PROMPT.md`](./docs/LOCAL-CONTRIBUTOR-ONBOARDING-PROMPT.md)
- Developer notes: [`docs/DEV.md`](./docs/DEV.md)
- Architecture: [`docs/ARCHITECTURE.md`](./docs/ARCHITECTURE.md)
- Runner automation: [`docs/AGENT_RUNNER.md`](./docs/AGENT_RUNNER.md)
- Terms: [`docs/TERMS.md`](./docs/TERMS.md)
## Latest Screenshots
More screenshots:
## In the Media
### Privacy Guides
> “After using their platform for the past few weeks, I can comfortably write that Hush Line accomplishes its mission astoundingly well. Not only is customer support excellent for enterprise users, but its integration with PGP encrypted email makes it a lifesaver for a Thunderbird user like me. The ability to receive encrypted notifications via email is honestly an underrated feature.”
> — [Privacy Guides](https://www.privacyguides.org/posts/2026/01/09/hush-line-review-an-accessible-whistleblowing-platform-for-journalists-and-lawyers-alike/) ([archive](https://web.archive.org/web/20260110024015/https://www.privacyguides.org/posts/2026/01/09/hush-line-review-an-accessible-whistleblowing-platform-for-journalists-and-lawyers-alike/))
### Newsweek
> “Investing in technology that protects privacy—such as Hush Line and Signal—is also important in sharing information that is anonymous, and can't be subpoenaed.”
> — [Newsweek](https://www.newsweek.com/protecting-free-speech-about-more-letting-content-run-wild-opinion-2012746) ([archive](https://web.archive.org/web/20250111062609/https://www.newsweek.com/protecting-free-speech-about-more-letting-content-run-wild-opinion-2012746))
### TIME
> “Psst’s safe is based on Hush Line... a simpler way for sources to reach out to journalists and lawyers... Micah Lee, an engineer on Hush Line, says that the tool fills a gap in the market for an encrypted yet accessible central clearinghouse for sensitive information.”
> — [TIME](https://time.com/7208911/psst-whistleblower-collective/) ([archive](https://web.archive.org/web/20250122105330/https://time.com/7208911/psst-whistleblower-collective/))
### Substack
> “New systems in development, such as Hush Line, are the brave new frontier in reporting. Hush Line is a software application that offers a more secure ability to report anonymously.”
> — [Substack](https://zacharyellison.substack.com/p/part-151-playing-the-whistleblower)
### Podcasts
> “I'm working with a non-profit software company called Hush Line, which is a one-way encrypted anonymizing platform so that whistleblowers can reach out to individual journalists while remaining anonymous...”
> — [YouTube](https://www.youtube.com/watch?v=pO6q_t0wGGA&t=38m17s)
## Contributing and Conduct
Contributors are expected to follow the Code of Conduct:
## License
See [`LICENSE`](./LICENSE).