The platform has completed its second independent security review of 2025, bringing the total number of third-party assessments conducted since launch to four. Year-end security reviews serve a different purpose than mid-year assessments: they occur after the bulk of annual feature development is complete, providing an opportunity to audit changes accumulated over the preceding six months rather than reviewing a stable, unchanged codebase. This review focused primarily on infrastructure hardening, Tor v3 configuration best practices, and server-side encryption implementation.
Why Bi-Annual Security Reviews Are Valuable
Security is not a state that a platform achieves and maintains indefinitely—it is a continuous process of assessment, remediation, and reassessment against an evolving threat landscape. A platform that undergoes a thorough review in January and then deploys significant new features in March, June, September, and December has effectively un-audited the majority of its codebase by December. Bi-annual reviews, ideally timed to follow major development cycles, address this problem by ensuring no substantial period of feature development goes unreviewed.
There is also a threat landscape argument for frequency. New vulnerability classes are discovered regularly, and a class of vulnerability that did not exist as a recognized threat pattern in January may have well-documented exploitation techniques by October. A mid-year and year-end review cycle ensures that assessors are applying contemporary knowledge to the codebase rather than knowledge that may be months stale.
For the community, bi-annual reviews are also a stronger signal than annual reviews because they demonstrate that security assessment is institutionalized practice rather than a one-time marketing exercise. The October review covered application-layer security; this December review focused on the infrastructure and network layer. Together, they provide coverage across both the code and the environment it runs in.
What the Year-End Review Covered
Infrastructure hardening was the primary focus area. Reviewers examined the server configuration against current hardening benchmarks, including unnecessary service exposure, file permission configurations, and kernel-level security parameters. The review also examined how secrets—encryption keys, API credentials, and configuration values—are stored and accessed at runtime, verifying that key material is not logged, not stored in environment variables accessible to other processes, and protected by appropriate access controls.
The Tor v3 hidden service configuration received detailed attention. Onion service configuration has a number of parameters that affect both performance and security, including the number of introduction points, HSDir posting behavior, and circuit-level isolation settings. Reviewers compared the platform's configuration against The Tor Project's published best practices for high-security hidden services. Two configuration parameters were found to be suboptimal and were updated: the number of introduction points was increased to improve availability under sustained attack, and stream isolation was enabled on a secondary endpoint that had been missed during initial configuration.
Server-side encryption implementation was reviewed to verify that data at rest—particularly user-submitted content and transaction records—is encrypted using current recommended algorithms and key lengths. The review found that all stored data is encrypted using AES-256 and that key rotation procedures are documented and tested. One improvement was noted: the key derivation function used in one subsystem was updated from PBKDF2 with a low iteration count to Argon2id, which is the current recommended algorithm for password-based key derivation.
Comparison With the October Audit
The October audit identified five findings, all remediated before the year-end review. This December review identified three findings: one medium severity related to the stream isolation configuration gap noted above, and two low-severity findings involving logging verbosity and a secondary endpoint configuration. All three were remediated during the review window and verified by the reviewing team before the final report was issued.
The trend across four reviews is one of improving baseline security. The first review in late 2024 identified two high-severity findings; by the fourth review in December 2025, no high or critical findings were present. This trajectory reflects both the maturation of the platform's security practices and the benefit of iterative review cycles that allow identified improvements to be incorporated before the next assessment.
Detailed OPSEC guidance relevant to users—covering Tor Browser configuration, PGP usage, and threat modeling—is available at the OPSEC guide. The anti-phishing resources at the safety rules page cover the user-facing security practices that complement the platform-side infrastructure work described here.