At EFF we put security and privacy first. That's why over three years ago we launched EFF's Security Vulnerability Disclosure Program. The Disclosure Program is a set of guidelines on how security researchers can tell EFF about bugs in the software we develop, like HTTPS Everywhere or Certbot. When we launched the program, it was a bit of an experiment. After all, as a lean, member-driven nonprofit, we can't give out the tremendous cash rewards that large corporations can provide for zero days. Instead, all we can offer security researchers in return for their hard work is recognition on our EFF Security Hall of Fame page and other non-cash rewards like EFF gear or complimentary EFF memberships.

Despite the limited rewards, the program has been a tremendous success. As of June 1, 2019, we've had over seventy different security researchers report valid security vulnerabilities to us, as you can see on our Security Hall of Fame page.

Today we're making a few changes to the program based off our experience over the past three years. In particular, we're narrowing the scope of the program to focus only on specific software projects written by EFF. We still appreciate it when people report vulnerabilities in our server configurations to us, but our primary priority is the security of the software we put out into the world for anyone to use. Additionally, we're clarifying that we won't be able to provide physical rewards to people located in some areas where we've had difficulty shipping things in the past, particularly India and Pakistan. While we appreciate all the hard work of security researchers there, trying to get international shipments to those countries has put a tremendous strain on our tiny rewards team. Of course we'll still offer recognition on our Security Hall of Fame page to anyone, regardless of where on the planet they live.

Security research is a prerequisite for safe computing. We're lucky to have such a talented base of supporters and members who can donate their time to help us improve online security, so we invite you to continue helping us by inspecting, analyzing, and improving the code we write.

Visit our Security Vulnerability Disclosure Program page to view the full reporting guidelines. And don't forget to download a copy of the GPG key to use when submitting your vulnerabilities. Happy hunting!