What you know may matter more than you realize.
The Vault investigates systems that profit from poverty. If you have information about aid misuse, housing abuse, fund diversion, political actors exploiting public programs, or related accountability failures — this is the right place. Secure submission channels are being finalized and will be active shortly.
Read this first.
You do not need a complete picture. You do not need to identify yourself. A single document, a date, a name, a location — any of these can be the thread that opens a file. Specificity matters more than volume: one precise document is more useful than a general account.
Your device, your network, and your contact method all carry metadata. If your situation involves personal safety risk, read the guidance below before reaching out on any channel.
If you are concerned about your employer, your government, or any party discovering that you contacted us, take these steps first:
- Use a device that does not belong to your employer or institution.
- Use a network that is not your work or home connection. A public network or mobile data on a personal SIM is better.
- Do not contact us from a work email, work phone, or any account linked to your institution.
- If and when you use Signal to contact us, consider registering with a number not linked to your primary identity. Consider a secondary device.
- The Vault has no way to remove metadata from files you send. If document metadata is a concern, contact us first before sending files.
Contracts, financial statements, audit reports, internal communications, grant disbursement records, government filings.
What you witnessed directly. Dates, names, locations, and what happened. Anonymous accounts are accepted.
A name, an organization, a case number, a story that felt incomplete. We can investigate from a starting point.
If you have seen something repeated — the same scheme, the same actors, the same process — that pattern has investigative value even without a single document.
Two secure channels — both finalizing shortly.
The guidance below explains what each channel is for and how to use it when live.
ProtonMail
For general leads, document pointers, public-record tips, and non-sensitive information. Messages are encrypted at rest on Proton's servers. Note: if you email from Gmail, Outlook, or any non-ProtonMail address, your message is not end-to-end encrypted in transit.
Address being confirmed — available shortly.
Email the VaultAddress finalizing — check back shortly
Signal
For sources with personal safety concerns, sensitive documents, and situations where your identity must be protected. Signal encrypts messages and calls end-to-end. Do not use your primary phone — use a device not associated with your identity if possible.
Number being finalized — active shortly.
Contact on SignalNumber finalizing — check back shortly
Tor-Based Anonymous Channel
A fully anonymous submission channel via Tor is in development — for institutional whistleblowers, government sources, and sources in jurisdictions with press freedom restrictions. A misconfigured anonymous channel is worse than no channel. We are deploying this correctly, not quickly.
Estimated: 60–90 days from launch. If your situation requires this level of security, check back once the Signal channel is active and reach out there first. We will work within your constraints.
What happens after you reach out.
Transparency about how we handle submissions is part of the trust we ask you to extend. This is what happens with every submission we receive.
Every submission is read by a human — The Vault Archivist — not an automated filter. We do not use AI to decide what matters. We read it.
If a submission contains documentable claims, we verify them against primary sources before any entry is made in the registry. We do not publish unverified claims.
Submissions containing evidence — documents, records, accounts — are archived securely, regardless of whether they lead to a published case file. Evidence does not disappear because we haven't published yet.
If you provide a contact method and we need to follow up, we will reach back through the same channel you used. We will not ask for your identity if you did not offer it.
We decide whether a submission opens a new file, adds to an existing one, or is held for future use. Not every submission becomes a published case file. All relevant submissions are retained.
What we cannot promise.
We would rather tell you this clearly than let you submit under false assumptions.
Not every submission becomes a published investigation or registry entry. We evaluate every submission for documentability, relevance to our scope, and the resources required to verify it. If we cannot verify it, we will not publish it.
Whistleblower protection laws vary by jurisdiction, employer type, and the nature of the disclosure. The Vault is not a law firm and cannot give legal advice. If you are considering disclosing information that may expose you to legal risk, speak with a lawyer before contacting us.
Anonymous submissions are accepted and valuable. But without a way to reach you, we cannot follow up for clarification. If there is any way to provide a safe one-time contact method, it increases the likelihood that your submission leads to a published file.
Signal, ProtonMail, and the channels we use provide meaningful protection — not absolute protection. Sophisticated state actors and well-resourced adversaries operate outside what any communication tool can fully defend against. We maintain our channels with your protection as the primary constraint. That is the honest promise we can make.
How we handle source identity.
The Vault will not voluntarily disclose a source's identity to any party — government, institutional, legal, or otherwise — without the source's explicit consent. This is not a legal commitment. It is an operational standard and an editorial principle.
Source protection is active by default from the moment you reach out — you do not need to ask for it. Every contact with The Vault is treated as source-protected until we have explicit mutual agreement otherwise.
Operationally: we maintain separate communication channels for source contact and publication work. We do not store source identity information in the same systems we use for registry entries or public-facing content. We do not log source contact details in systems accessible to third parties.
If legally compelled to disclose source information, we will exhaust all available legal defenses before compliance, and we will notify the source of any such demand to the extent that doing so is legally permitted.
ProtonMail (encrypted at rest — address finalizing) · Signal (end-to-end encrypted — number finalizing) · Tor-based anonymous channel (in development, 60–90 days)