Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

EFF Launches Security Vulnerability Disclosure Program

The Electronic Frontier Foundation (EFF) has launched its own Security Vulnerability Disclosure Program, designed as a set of guidelines on how to report security issues in software that the foundation develops or uses.

The Electronic Frontier Foundation (EFF) has launched its own Security Vulnerability Disclosure Program, designed as a set of guidelines on how to report security issues in software that the foundation develops or uses.

EFF’s Disclosure Program was launched for finding bugs in software such as HTTPS Everywhere or Let’s Encrypt Agent, Privacy Badger for Chrome and Firefox, Phantom of the Capitol, Action Center, and Boulder. Additionally, it is aimed at the reporting of bugs in software used on eff.org and all subdomains (*.eff.org), as well as on panopticlick.com, digcit.org, dearfcc.org, democracy.io, and others.

The Foundation announced that vulnerabilities qualify for the program if they exist in the latest public release (including officially released public betas) of the software.

For the software that it uses on websites, EFF is looking for issues such as Cross-site request forgery (CSRF/XSRF), Cross-site scripting (XSS), Authentication bypass, Remote code execution, SQL Injection, and Privilege escalation. All vulnerabilities that exist in software or a service that is actively running on EFF’s servers at the time of the disclosure qualify for the program.

Security researchers are encouraged to focus on the beta release of the Let’s Encrypt Client, the Foundation notes. This does not come as a surprise, since Let’s Encrypt was released in public beta last week, and the client has been available in open source for only a few months.

One thing that people interested in finding and reporting security bugs to EFF should know, however, is that the Foundation won’t be able to reward them in cash, as other companies do, but will offer public acknowledgement on the EFF Security Hall of Fame page. Non-cash rewards like EFF gear or complimentary EFF memberships will also be offered as part of the program.

“But reporting bugs does more than just help EFF and earn you cool swag. Coordinated disclosure helps us keep the NSA from exploiting zero days like Heartbleed, and as an organization committed to using and developing free software whenever possible, letting us know about bugs will help us work with upstream software developers to get a fix for impacted users,” EFF notes.

Security researchers interested in participating in the program are also required to adhere to a series of guidelines that will ensure they are eligible for the rewards available as part of the program. These guidelines are available on the EFF Security Vulnerability Disclosure Program page.

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.