EFF launches security vulnerability disclosure program

The EFF has launched a bug disclosure program for projects including Let's Encrypt and HTTPS Everywhere.

screen-shot-2015-12-04-at-09-04-46.png

The Electronic Frontier Foundation (EFF) is the latest in a string of companies to launch a bug bounty program to improve the security of its projects and software.

The EFF is a non-profit which campaigns for the digital rights of the general public, conducts security research, exposes illegal surveillance practices and leads legal battles to protect individual privacy and supporting other organizations specializing in open source software, encryption, security research and emerging technologies.

EFF has also recently launched two projects designed to promote the increased use of encryption and better security across the Web, HTTPS Everywhere and Let's Encrypt.

As the non-profit notes, it's all well and good to campaign for better security -- but without setting an example with your own software, you can't necessarily expect others to follow suit.

Therefore, the group has decided to launch its own security vulnerability disclosure program to reward researchers who find and report flaws and bugs in EFF software.

In a blog post, EFF said the program gives researchers guidelines to follow when submitting bugs or vulnerabilities in software EFF develops -- as well as the software the organization uses to run its sites and services.

EFF is looking for security vulnerabilities in HTTPS Everywhere, Privacy Badger for Chrome and Firefox, Phantom of the Capitol, Action Center, Let's Encrypt Agent and the Boulder software. In addition, the group has asked researchers to take a look at EFF web services and other "public facing software" the group uses on domains including eff.org, savecrypto.org and democracy.io, among others.

In order to qualify, researchers need to find flaws in the latest public release of EFF software. The vulnerabilities EFF is looking for are cross-site request forgery (CSRF/XSRF), cross-site scripting (XSS), authentication bypass, remote code execution, SQL injection and privilege escalation flaws.

Other bugs might be accepted on a case-by-case basis.

As you can imagine, the non-profit does not have a lot of free cash to throw at researchers. Instead, at least for now, vulnerability disclosures will be rewarded with credit in the EFF Security Hall of Fame and other non-cash rewards such as merchandise or free EFF memberships.

"Reporting bugs does more than just help EFF and earn you cool swag," EFF says. "Coordinated disclosure helps us keep the NSA from exploiting zero-days like Heartbleed, and as an organization committed to using and developing free software whenever possible, letting us know about bugs will help us work with upstream software developers to get a fix for impacted users."

See also: Bug bounties: Which companies offer researchers cash?

Researchers disclosing vulnerabilities are asked to send reports to vulnerabilities@eff.org using the supplied GPG key. The organization asks for 90 days to fix vulnerabilities before public disclosure.

EFF says:

"Security research is a prerequisite for safe computing. We're lucky to have such a talented base of supporters and members who can donate their time to help us improve online security, so we invite you to help us by inspecting, analyzing, and improving the code we write.

We especially want to encourage security researchers to turn their attention towards the beta release of the Let's Encrypt Client (the master branch of the linked repo). As an added incentive, we're currently brainstorming even neater rewards which we may only give out for vulnerabilities in that software."

Read on: Top picks