December 3, 2015 | By William Theaker

Find a Security Vulnerability, Get a Reward: Announcing EFF's Security Vulnerability Disclosure Program

At EFF we put security and privacy first. This means working hard at keeping our members and site visitors safe, as well as the people who use the software we develop. We also dedicate staff time to advising security researchers, maintaining resources like our Coders' Rights Project, and helping groups like Facebook improve their bug reporting policies.

Today we're following our own advice by announcing EFF's own Security Vulnerability Disclosure Program. The Disclosure Program is a set of guidelines on how to report bugs in software EFF develops, like HTTPS Everywhere or Let's Encrypt, as well as the software we use to run our sites and services. The scope of the bugs we're looking for is detailed on the Security Vulnerability Disclosure Program page, but we're not just looking for bugs in our code. Security vulnerabilities created by the specific configuration of software on EFF servers are also within the scope of this program.

One difference between our program and others is that as a lean, member-driven nonprofit we don't have the resources to match the cash rewards others can provide for zero days. Instead, what we can offer is public acknowledgement on our EFF Security Hall of Fame page and other non-cash rewards like EFF gear or complimentary EFF memberships. But reporting bugs does more than just help EFF and earn you cool swag. Coordinated disclosure helps us keep the NSA from exploiting zero days like Heartbleed, and as an organization committed to using and developing free software whenever possible, letting us know about bugs will help us work with upstream software developers to get a fix for impacted users.

Security research is a prerequisite for safe computing. We're lucky to have such a talented base of supporters and members who can donate their time to help us improve online security, so we invite you to help us by inspecting, analyzing, and improving the code we write. We especially want to encourage security researchers to turn their attention towards the beta release of the Let's Encrypt Client (the master branch of the linked repo). As an added incentive, we're currently brainstorming even neater rewards which we may only give out for vulnerabilities in that software.

In order to get started, visit our Security Vulnerability Disclosure Program page to view the full reporting guidelines. And don't forget to download a copy of the GPG key to use when submitting your vulnerabilities. Happy hunting!

Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

.@zeynep Agreed. While key mgnt choices are complex & security critical, it may be unfair to call them backdoors.

Jan 23 @ 6:52pm

EFF is on @CREDOMobile's January ballot! Your votes help us get more of the $150K+ donation pool.

Jan 23 @ 5:22pm

Trump's nominee for Attorney General, Sen. Jeff Sessions, wants the government to be able to "overcome" encryption:

Jan 23 @ 4:47pm
JavaScript license information