The Electronic Frontier Foundation (EFF) has launched its own Security Vulnerability Disclosure Program, designed as a set of guidelines on how to report security issues in software that the foundation develops or uses.
EFF’s Disclosure Program was launched for finding bugs in software such as HTTPS Everywhere or Let’s Encrypt Agent, Privacy Badger for Chrome and Firefox, Phantom of the Capitol, Action Center, and Boulder. Additionally, it is aimed at the reporting of bugs in software used on eff.org and all subdomains (*.eff.org), as well as on panopticlick.com, digcit.org, dearfcc.org, democracy.io, and others.
The Foundation announced that vulnerabilities qualify for the program if they exist in the latest public release (including officially released public betas) of the software.
For the software that it uses on websites, EFF is looking for issues such as Cross-site request forgery (CSRF/XSRF), Cross-site scripting (XSS), Authentication bypass, Remote code execution, SQL Injection, and Privilege escalation. All vulnerabilities that exist in software or a service that is actively running on EFF’s servers at the time of the disclosure qualify for the program.
Security researchers are encouraged to focus on the beta release of the Let’s Encrypt Client, the Foundation notes. This does not come as a surprise, since Let’s Encrypt was released in public beta last week, and the client has been available in open source for only a few months.
One thing that people interested in finding and reporting security bugs to EFF should know, however, is that the Foundation won’t be able to reward them in cash, as other companies do, but will offer public acknowledgement on the EFF Security Hall of Fame page. Non-cash rewards like EFF gear or complimentary EFF memberships will also be offered as part of the program.
“But reporting bugs does more than just help EFF and earn you cool swag. Coordinated disclosure helps us keep the NSA from exploiting zero days like Heartbleed, and as an organization committed to using and developing free software whenever possible, letting us know about bugs will help us work with upstream software developers to get a fix for impacted users,” EFF notes.
Security researchers interested in participating in the program are also required to adhere to a series of guidelines that will ensure they are eligible for the rewards available as part of the program. These guidelines are available on the EFF Security Vulnerability Disclosure Program page.