The (Continuing) Business of Keeping Promises


Chris Howell, Wickr CTO
August 30, 2018

“Wickr has built a sophisticated end-to-end encryption protocol that provides their users with strong cryptographic guarantees.”

– Dr. Matthew Green, Cryptographer & Professor at Johns Hopkins University

Earlier this year we launched a new Customer Security Promises program to offer “extreme” transparency as we called it into how we build and test our encrypted products against the key security promises we make to our users. The idea is to offer our users the ability to assess our performance towards very specific and testable security and privacy standards that form the foundations of trust between our customers and Wickr.

Purposefully, we put ourselves on record by setting a clear bar to which we hold ourselves accountable: both internally – with our engineering and product teams, and externally – with the public and our users about how we deliver on our promises and improve. We also see this program as an open invitation to our customers that they too should hold us responsible and expect transparency about how we improve on our promises.

Today, in collaboration with a team of experts at Bishop Fox and Dr. Matthew Green, we’re publishing the next version of our security promises and the test report that traditionally comes with it.

This got me thinking. What a transformative opportunity we have before us! Years ago, “open source” changed the security world. It has become a new religion based on transparency of code and openness of security methods, challenging decades-old notions of security built on need-to-know and obscurity. It clearly contributed to an era of a rising tide for software security, if for no other reason than by forcing practitioners to aim higher and build security that can even hold up to an adversary with an insider’s knowledge of how it works.

I think it’s also clear in the many years that have gone by in the open source era, however, that open source alone is not enough. Simply being open source doesn’t equal secure, and too many on both sides of the food chain – providers and consumers – now treat it as proof of trust rather than a mechanism for attaining it.

I am pleased to see how our customer promise program has evolved and taken shape to perhaps begin a new era for software security beyond the open source ethos. Sure, we’ve opened our core source code for public review. But in addition to publishing code and assuming (or rather hoping) that others will take a look, we are directly engaging the world’s leading independent experts to work with us, understand what the Wickr team is building, what our threat model is and then test, review, advise and opine as to how well we are delivering to the high-bar expectations we and our users set.

This process of working with our engineering and product teams internally and our external partners enables us to take transparency to the extreme, which we believe is a strong step forward in bringing on the next era for software security. Beyond and in addition to open source, we can all provide a much firmer foundation of trust for consumers to match today’s information security and privacy challenges.