The Signal Foundation is a non-profit. The non-profit owns an LLC under the same name which publishes and develops the apps.

The software itself is open source, and licensed under AGPLv3, the same permissive license as lemmy and mastodon.

Calling them a private company with no motivation to disclose any failures in their security is pretty clearly untrue in whole.

I think the description of vulnerability is subjective in this case.

No, it really isn’t. The Signal protocol enables E2EE, meaning you don’t have to worry about the server infra (that is, even if you don’t buy that they’re using the FOSS server code they say they are, it’s irrelevant). The Signal protocol is open and has been examined forwards and backwards over and over by security researchers around the world. I can’t emphasize how many eyes are on this protocol because of how prolifically used it is, including by government officials worldwide. The app is FOSS, and like the protocol, it has a ton of eyes on it for the same reason. The app is a reproducible build, meaning that if Signal baited you with a fake app, it would be found out immediately.

It could be that signal is inherently more vulnerable than official channels, as Signal is a private corporation that has no motivation to disclose any failures in their security.

They’re a corporation, sure, but in the sense that they’re a 501©(3), not a for-profit. Signal would have every incentive to disclose a failure in “their security” (where here that means their app or the protocol; again, what’s happening on the servers literally, provably, mathematically doesn’t matter). For a privacy org like this, it’s in their best interest to immediately report any problems that might compromise privacy.

I don’t think the article is trying to blame Signal in any way, it’s just not the proper communication channel

Agreed. But here, I agree it’s not the proper channel 1) because it’s on their personal devices which the person you’re responding to clearly stated and 2) a Signal chat (likely intentionally on their part) bypasses crucial records keeping laws. A known vuln for example is if someone has access to your phone, they can link their own personal device and read your messages as they come up. But again, that requires access to your phone, which becomes problematic if and only if you’re using your own personal device rather than a secure government one.

and thus utilizing it is an inherent vulnerability no matter how secure their encryption may be.

No. Again, that’s not an inherent vulnerability. Using it on their personal devices is, but unless you can come up with a vulnerability in the app itself or the protocol itself, then you’re just agreeing with the person you’re replying to.

Signal is a publicly available app that provides encrypted communications, but it can be hacked. It is not approved for carrying classified information. On March 14, one day before the strikes, the Defense Department cautioned personnel about the vulnerability of Signal, specifically that Russia was attempting to hack the app, according to a U.S. official who was not authorized to discuss the matter publicly and spoke on the condition of anonymity.

One known vulnerability is that a malicious actor, with access to a person’s phone, can link his or her device to the user’s Signal and essentially monitor messages remotely in real time.

This reads to me like Signal has weaknesses. Also, just so everyone is aware:

The Signal Technology Foundation, commonly known as the Signal Foundation, is an American Non-profit organization founded in 2018 by Moxie Marlinspike and Brian Acton. Its mission is to “protect free expression and enable Secure communication through Open source Digital privacy”.  Its subsidiary, Signal Messenger LLC, is responsible for the development of the Signal messaging app and the Signal Protocol.

Signal is an open-source, encrypted messaging service for instant messaging , voice calls, and video calls . The instant messaging function includes sending text, voice notes, images, videos, and other files. Communication may be one-to-one between users or may involve group messaging.