Hush Line is an open source whistleblower platform for secure, anonymous, one-way disclosures to journalists, lawyers, and other trusted recipients.
Hosted service: https://tips.hushline.app
Start here: https://hushline.app/library/docs/getting-started/start-here/
Hush Line is built for safety-critical reporting workflows where trust, anonymity, and usability all matter. The project design priorities are:
- Usability of the software
- Authenticity of the receiver
- Plausible deniability of the whistleblower
- Availability of the system
- Anonymity of the whistleblower
- Confidentiality and integrity of disclosures
| Area | What Hush Line Provides |
|---|---|
| Anonymous submissions | No submitter account required for sending disclosures |
| Encryption | End-to-end encryption workflow with recipient PGP keys, plus server-side fallback path |
| Receiver trust | Verified account workflow and trusted directory UX |
| Account security | Password authentication with optional TOTP 2FA |
| Privacy access | Tor onion support and privacy-preserving defaults |
| Communication workflow | Message status management, one-way replies, and optional email forwarding modes |
| Org customization | Branding controls, onboarding guidance, and configurable profile fields |
| Operational controls | Strong CI checks, migration compatibility testing, and workflow security validation |
git clone https://github.com/scidsg/hushline.git
cd hushline
make serveOpen http://localhost:8080.
If you only want to start the current stack without first tearing it down, you can still use docker compose up or make run.
If you want a slower, guided setup for a brand-new machine, use the AI-ready prompt in docs/LOCAL-CONTRIBUTOR-ONBOARDING-PROMPT.md. It walks a new contributor through installing Git, Make, Docker, cloning the repo, starting the stack, and trying the first three local flows.
| Command | Purpose | When to use |
|---|---|---|
make serve |
Tear down and rebuild the local stack | Starting fresh or recovering from Docker drift |
make lint |
Run formatting/lint/type checks | Before opening a PR or after code changes |
make test |
Run full test suite with coverage output | Before opening a PR and after behavior changes |
make fix |
Apply formatting/lint autofixes | When lint reports fixable formatting/style issues |
make run |
Start the current local stack | Quick restarts when you do not need a full reset |
make run-full |
Run Stripe-enabled development stack | Testing paid-tier or Stripe-related flows |
docker compose down -v --remove-orphans |
Reset local Docker state | Clearing containers, volumes, and orphaned state |
- Threat model:
docs/THREAT-MODEL.md - Security policy and vulnerability reporting:
SECURITY.md - Privacy policy:
docs/PRIVACY.md
Report security issues through GitHub Security Advisories when possible, or via: https://tips.hushline.app/to/hushline-security.
Hush Line uses a risk-based model for agentic software development. Canonical policy: docs/AGENTIC-CODE-POLICY.md.
Quick summary:
- Human-first is required for high-risk surfaces: funding work, databases/migrations, auth, payments, CI/CD, production infrastructure, and security/privacy boundary changes.
- AI-first is allowed for low-risk work such as scoped docs/process edits and isolated low-risk implementation tasks with clear rollback.
- If scope expands into high-risk areas (for example DB/auth/env/security), ownership immediately escalates to human-first.
- Ownership mode is tracked (
human-firstvsai-first) with a quarterly operating target of roughly 70/30. - Approved coding model policy is defined in
AGENTS.md. As of 2026-05-11, the minimum approved coding model isgpt-5.5 high.
Before opening a PR:
- Read and follow
AGENTS.md(repository policy and safety-critical rules). - Check open Dependabot updates first, then handle applicable dependency/security updates.
- Keep diffs minimal and behavior-preserving unless a behavior change is explicitly intended.
- Add or update tests for every behavior change.
- Run required checks locally:
make lintmake test
- If behavior-critical paths changed, run CI-style coverage validation:
docker compose run --rm app poetry run pytest --cov hushline --cov-report term-missing -q --skip-local-only- Run dependency vulnerability audits:
make audit-python
make audit-node-runtimeWhen frontend/runtime dependencies change, also run:
make audit-node-fullIf local audit commands are blocked by network/tooling availability, document that in the PR and wait for a passing Dependency Security Audit workflow before merge.
- Ensure commits are cryptographically signed and verifiable on GitHub.
- Docs index:
docs/README.md - Local contributor onboarding prompt:
docs/LOCAL-CONTRIBUTOR-ONBOARDING-PROMPT.md - Developer notes:
docs/DEV.md - Architecture:
docs/ARCHITECTURE.md - Runner automation:
docs/AGENT_RUNNER.md - Terms:
docs/TERMS.md
|
|
More screenshots: https://github.com/scidsg/hushline-screenshots/tree/main/releases/latest
“After using their platform for the past few weeks, I can comfortably write that Hush Line accomplishes its mission astoundingly well. Not only is customer support excellent for enterprise users, but its integration with PGP encrypted email makes it a lifesaver for a Thunderbird user like me. The ability to receive encrypted notifications via email is honestly an underrated feature.”
— Privacy Guides (archive)
“Investing in technology that protects privacy—such as Hush Line and Signal—is also important in sharing information that is anonymous, and can't be subpoenaed.”
— Newsweek (archive)
“Psst’s safe is based on Hush Line... a simpler way for sources to reach out to journalists and lawyers... Micah Lee, an engineer on Hush Line, says that the tool fills a gap in the market for an encrypted yet accessible central clearinghouse for sensitive information.”
— TIME (archive)
“New systems in development, such as Hush Line, are the brave new frontier in reporting. Hush Line is a software application that offers a more secure ability to report anonymously.”
— Substack
“I'm working with a non-profit software company called Hush Line, which is a one-way encrypted anonymizing platform so that whistleblowers can reach out to individual journalists while remaining anonymous...”
— YouTube
Contributors are expected to follow the Code of Conduct:
https://github.com/scidsg/business-resources/blob/main/Policies%20%26%20Procedures/Code%20of%20Conduct.md
See LICENSE.
