7ASecurity is proud to share the results of our security audit of Thunderbird Send. Thunderbird Send is an open source platform for sending and receiving end to end encrypted files, for use with Mozilla Thunderbird or web browsers. With the help of the Open Source Technology Improvement Fund and the Mozilla Foundation, this project will be in a more stable and robust state for public release in the future.
Audit Process:
This engagement took place during April and May of 2025, undertaken by 5 security experts over 25 person days. This was Thunderbird Send’s first pentest and whitebox security audit, and in the scope of review was the websites and APIs and cloud infrastructure as well as to create threat modelling documentation and review the supply chain with SLSA analysis. There is importance placed on the project’s ability to securely and effectively work, since it handles encrypted data and its transference. In the process of completing the threat modelling exercise, the relevant assets, threat actors, and attack surfaces are identified and then be used by the auditors and maintainers to reinforce exposed areas and data, as well as recommend next steps for improving project health.
Audit Results:
- 2 Vulnerabilities Identified
- 1 Critical
- 1 High
- 20 Hardening Recommendations
- Custom Threat Model
- Supply Chain Security Analysis
- Future Security Work Recommendations
While there were a number of security-related findings as a result of this work, overall the application was found to be defensively designed and implemented. Multiple instances of the maintainers using measures of security industry best practices were noted. The team responded actively and quickly to the audit findings, resolving both vulnerabilities quickly as well as several of the hardening recommendations to improve the code quality and resilience ahead of the app’s public release. If you would like to contribute to the Thunderbird project in the meantime, their webpage has a list of ways to do so.
Thank you to the individuals and groups that made this engagement possible:
- Thunderbird-Send maintainers and community, especially: Alejandro Aspinwall, Lisa McCormack, Malini Das, Ryan Jung, and Ryan Sipes
- OSTIF: Amir Montazery, Derek Zimmer, Helen Woeste, Tom Welter
- Mozilla Foundation
You can read the Audit Report HERE
You can read OSTIF’s Blog HERE
You can read Thunberbird-Send’s Blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, reach out to contactus@ostif.org.
OSTIF is celebrating its 10 year anniversary! Join them for a meetup about their work, lessons learned, and where they see the future of open source security going by following the meetup calendar https://lu.ma/ostif-meetups
