Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

EFF Launches Security Vulnerability Disclosure Program

The Electronic Frontier Foundation (EFF) has launched its own Security Vulnerability Disclosure Program, designed as a set of guidelines on how to report security issues in software that the foundation develops or uses.

The Electronic Frontier Foundation (EFF) has launched its own Security Vulnerability Disclosure Program, designed as a set of guidelines on how to report security issues in software that the foundation develops or uses.

EFF’s Disclosure Program was launched for finding bugs in software such as HTTPS Everywhere or Let’s Encrypt Agent, Privacy Badger for Chrome and Firefox, Phantom of the Capitol, Action Center, and Boulder. Additionally, it is aimed at the reporting of bugs in software used on eff.org and all subdomains (*.eff.org), as well as on panopticlick.com, digcit.org, dearfcc.org, democracy.io, and others.

The Foundation announced that vulnerabilities qualify for the program if they exist in the latest public release (including officially released public betas) of the software.

For the software that it uses on websites, EFF is looking for issues such as Cross-site request forgery (CSRF/XSRF), Cross-site scripting (XSS), Authentication bypass, Remote code execution, SQL Injection, and Privilege escalation. All vulnerabilities that exist in software or a service that is actively running on EFF’s servers at the time of the disclosure qualify for the program.

Security researchers are encouraged to focus on the beta release of the Let’s Encrypt Client, the Foundation notes. This does not come as a surprise, since Let’s Encrypt was released in public beta last week, and the client has been available in open source for only a few months.

One thing that people interested in finding and reporting security bugs to EFF should know, however, is that the Foundation won’t be able to reward them in cash, as other companies do, but will offer public acknowledgement on the EFF Security Hall of Fame page. Non-cash rewards like EFF gear or complimentary EFF memberships will also be offered as part of the program.

“But reporting bugs does more than just help EFF and earn you cool swag. Coordinated disclosure helps us keep the NSA from exploiting zero days like Heartbleed, and as an organization committed to using and developing free software whenever possible, letting us know about bugs will help us work with upstream software developers to get a fix for impacted users,” EFF notes.

Advertisement. Scroll to continue reading.

Security researchers interested in participating in the program are also required to adhere to a series of guidelines that will ensure they are eligible for the rewards available as part of the program. These guidelines are available on the EFF Security Vulnerability Disclosure Program page.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.