Sergey Nivens - Fotolia

EFF sets up software vulnerability disclosure programme

The EFF’s vulnerability disclosure programme includes a set of guidelines on how to report bugs in software the group develops and uses, offering several non-cash rewards

The Electronic Frontier Foundation (EFF) has set up a software vulnerability disclosure programme, offering guidelines and non-cash rewards.

The EFF is an international non-profit digital rights group that advises security researchers and helps organisations such as Facebook to improve their bug reporting policies.

The group’s vulnerability disclosure programme includes a set of guidelines on how to report bugs in software the EFF develops, such as HTTPS Everywhere and Let’s Encrypt.

The organisation said it invites all security researchers to inspect, analyse and improve the code the EFF produces.

The programme also covers the software the EFF uses to run its sites and services, as well as vulnerabilities created by the specific configuration of software on EFF servers.

As a non-profit organisation, the EFF is not offering cash rewards, but the programme includes several non-cash rewards. These include public acknowledgement on the EFF Security Hall of Fame page, EFF gear such as T-shirts and hats, complimentary EFF memberships, opportunities to tour the EFF office and meet EFF staff,  and complimentary tickets to EFF events.

Announcing the programme, the organisation said: “Co-ordinated disclosure helps us keep the NSA [National Security Agency] from exploiting zero days like Heartbleed, and as an organisation committed to using and developing free software whenever possible, letting us know about bugs will help us work with upstream software developers to get a fix for impacted users.”

The EFF information on joining the programme is available on the dedicated webpage.

Read more about vulnerability disclosure

According to security firm Rapid7, there needs to be more contact between the information security community and technology firms and other software developers.

The company recognises the importance of responsible vulnerability disclosure, but that requires opening up channels of communication with non-security firms, which can be challenging.

Often, the first contact that software and other technology firms have from security researchers concerns a vulnerability disclosure, according to Tod Beardsley, security engineering manager at Rapid7.

“But this is often perceived in a negative light because it is like someone in the security community telling them their baby is ugly,” he told Computer Weekly on the sidelines of the DEF CON 23 hacker conference in Las Vegas.

Consequently, security researchers have to manage that first contact very carefully, said Beardsley, and bear in mind that it is an emotional topic to ensure that the resulting relationship is a positive one. Like the EFF, Rapid7 is working with organisations to help them establish a vulnerability intake process and draw up a vulnerability disclosure policy.

Read more on Application security and coding requirements