CINXE.COM

<!DOCTYPE html>      <html class="no-js" lang="en" dir="ltr" prefix="fb: http://ogp.me/ns/fb# og: http://ogp.me/ns#"> <head> <meta charset="utf-8" /> <link rel="shortcut icon" href="https://www.eff.org/sites/all/themes/frontier/favicon.ico" type="image/vnd.microsoft.icon" /> <link rel="profile" href="http://www.w3.org/1999/xhtml/vocab" /> <meta name="HandheldFriendly" content="true" /> <meta name="MobileOptimized" content="width" /> <meta http-equiv="cleartype" content="on" /> <link rel="apple-touch-icon" href="https://www.eff.org/sites/all/themes/phoenix/apple-touch-icon.png" /> <link rel="apple-touch-icon-precomposed" href="https://www.eff.org/sites/all/themes/phoenix/apple-touch-icon-precomposed.png" /> <meta name="description" content="Also check out our EFF Security Hall of Fame to see the heroes that have already reported security vulnerabilities to us!OverviewEFF is committed to protecting the privacy and security of users of our software tools. Our Vulnerability Disclosure Program is intended to minimize the impact any..." /> <meta name="viewport" content="width=device-width" /> <link rel="canonical" href="https://www.eff.org/security" /> <meta name="generator" content="Drupal 7 (http://drupal.org)" /> <link rel="shortlink" href="https://www.eff.org/node/89201" /> <meta property="og:site_name" content="Electronic Frontier Foundation" /> <meta property="og:type" content="article" /> <meta property="og:title" content="Security Vulnerability Disclosure Program" /> <meta property="og:url" content="https://www.eff.org/security" /> <meta property="og:description" content="Also check out our EFF Security Hall of Fame to see the heroes that have already reported security vulnerabilities to us!OverviewEFF is committed to protecting the privacy and security of users of our software tools. Our Vulnerability Disclosure Program is intended to minimize the impact any..." /> <meta property="og:updated_time" content="2024-09-20T14:15:38-07:00" /> <meta property="og:image" content="https://www.eff.org/files/eff-og.png" /> <meta property="og:image:url" content="https://www.eff.org/files/eff-og.png" /> <meta property="og:image:secure_url" content="https://www.eff.org/files/eff-og.png" /> <meta property="og:image:type" content="image/png" /> <meta property="og:image:width" content="1200" /> <meta name="twitter:card" content="summary_large_image" /> <meta property="og:image:height" content="630" /> <meta name="twitter:site" content="@eff" /> <meta name="twitter:title" content="Security Vulnerability Disclosure Program" /> <meta name="twitter:description" content="Also check out our EFF Security Hall of Fame to see the heroes that have already reported security vulnerabilities to us!OverviewEFF is committed to protecting the privacy and security of users of" /> <meta name="twitter:image" content="https://www.eff.org/files/eff-og.png" /> <meta name="twitter:image:width" content="1200" /> <meta name="twitter:image:height" content="630" /> <meta property="article:publisher" content="https://www.facebook.com/eff" /> <meta property="article:published_time" content="2015-12-03T11:17:04-08:00" /> <meta property="article:modified_time" content="2024-09-20T14:15:38-07:00" /> <meta itemprop="name" content="Security Vulnerability Disclosure Program" /> <link rel="publisher" href="https://www.eff.org/" /> <meta itemprop="description" content="Also check out our EFF Security Hall of Fame to see the heroes that have already reported security vulnerabilities to us!OverviewEFF is committed to protecting the privacy and security of users of our software tools. Our Vulnerability Disclosure Program is intended to minimize the impact any..." /> <meta itemprop="image" content="https://www.eff.org/files/eff-og.png" /> <title>Security Vulnerability Disclosure Program | Electronic Frontier Foundation</title> <link type="text/css" rel="stylesheet" href="https://www.eff.org/files/css/css_-cTR95bLYiHgp6yuP3xqEp4C3J_A3eTaZIWT-rA7_-I.css" media="all" /> <link type="text/css" rel="stylesheet" href="https://www.eff.org/files/css/css_DK0QprJWzW5EL3FiYM7gq-09dezg-4M6NEp7XiGwYTI.css" media="all" /> <link type="text/css" rel="stylesheet" href="https://www.eff.org/files/css/css_XHR4l4eATZ3Z8G5dXumYjAu2Fu0j4By-TFNkuRO34U8.css" media="all" /> <script>/** * @licstart The following is the entire license notice for the JavaScript * code in this page. * * Copyright (C) 2025 Electronic Frontier Foundation. * * The JavaScript code in this page is free software: you can redistribute * it and/or modify it under the terms of the GNU General Public License * (GNU GPL) as published by the Free Software Foundation, either version 3 * of the License, or (at your option) any later version. The code is * distributed WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU GPL * for more details. * * As additional permission under GNU GPL version 3 section 7, you may * distribute non-source (e.g., minimized or compacted) forms of that code * without the copy of the GNU GPL normally required by section 4, provided * you include this license notice and a URL through which recipients can * access the Corresponding Source. * * @licend The above is the entire license notice for the JavaScript code * in this page. */ </script> <script src="https://www.eff.org/files/js/js_qd8BaywA4mj4edyGLb52Px4-BwFqScI7dgPymNmaueA.js"></script> <script src="https://www.eff.org/files/js/js_x2A4oj9_rCj5CWR_dGMHrobZW14ZVI9ruZKCDG7yyfM.js"></script> <script src="https://www.eff.org/files/js/js_aoyqGMMZgQZIP71HQUw7zecjGCeyEcqUU5RtU5-iyzw.js"></script> <script src="https://www.eff.org/files/js/js_g7t6BFiX3T9qjjMlQee69jfHL0muKHZPePq_j6OMDUA.js"></script> <script src="https://www.eff.org/files/js/js_ni4sNn7z45mA975KRMtQ-qWQYA3MYgzJX62wtvwezeU.js"></script> <script>jQuery.extend(Drupal.settings, {"basePath":"\/","pathPrefix":"","setHasJsCookie":0,"lightbox2":{"rtl":"0","file_path":"\/(\\w\\w\/)public:\/","default_image":"\/sites\/all\/modules\/contrib\/lightbox2\/images\/brokenimage.jpg","border_size":10,"font_color":"000","box_color":"fff","top_position":"","overlay_opacity":"0.8","overlay_color":"000","disable_close_click":1,"resize_sequence":0,"resize_speed":10,"fade_in_speed":300,"slide_down_speed":10,"use_alt_layout":1,"disable_resize":0,"disable_zoom":1,"force_show_nav":0,"show_caption":1,"loop_items":1,"node_link_text":"","node_link_target":0,"image_count":"","video_count":"","page_count":"","lite_press_x_close":"press \u003Ca href=\u0022#\u0022 onclick=\u0022hideLightbox(); return FALSE;\u0022\u003E\u003Ckbd\u003Ex\u003C\/kbd\u003E\u003C\/a\u003E to close","download_link_text":"","enable_login":false,"enable_contact":false,"keys_close":"c x 27","keys_previous":"p 37","keys_next":"n 39","keys_zoom":"z","keys_play_pause":"32","display_image_size":"original","image_node_sizes":"()","trigger_lightbox_classes":"","trigger_lightbox_group_classes":"","trigger_slideshow_classes":"","trigger_lightframe_classes":"","trigger_lightframe_group_classes":"","custom_class_handler":0,"custom_trigger_classes":"","disable_for_gallery_lists":true,"disable_for_acidfree_gallery_lists":true,"enable_acidfree_videos":true,"slideshow_interval":5000,"slideshow_automatic_start":true,"slideshow_automatic_exit":true,"show_play_pause":true,"pause_on_next_click":false,"pause_on_previous_click":true,"loop_slides":false,"iframe_width":600,"iframe_height":400,"iframe_border":1,"enable_video":0,"useragent":"Owler (ows.eu\/owler)"},"responsive_menus":[{"selectors":"#header-sls-menu","container":"body","trigger_txt":"\u003Cspan class=\u0022mean-burger\u0022 \/\u003E\u003Cspan class=\u0022mean-burger\u0022 \/\u003E\u003Cspan class=\u0022mean-burger\u0022 \/\u003E","close_txt":"X","close_size":"18px","position":"right","media_size":"480","show_children":"1","expand_children":"0","expand_txt":"+","contract_txt":"-","remove_attrs":"1","responsive_menus_style":"mean_menu"}],"urlIsAjaxTrusted":{"\/search\/site":true},"piwikNoscript":{"image":"\u003Cimg style=\u0022position: absolute\u0022 src=\u0022https:\/\/anon-stats.eff.org\/js\/?idsite=1\u0026amp;rec=1\u0026amp;url=https%3A\/\/www.eff.org\/security\u0026amp;action_name=\u0026amp;urlref=\u0026amp;dimension2=panelized_page\u0026amp;dimension3=89201\u0022 width=\u00220\u0022 height=\u00220\u0022 alt=\u0022\u0022 \/\u003E"}});</script> </head> <body class="html not-front not-logged-in page-node page-node- page-node-89201 node-type-panelized-page node-promoted i18n-en section-security no-secondary-nav no-right-sidebar"> <a href="#main-content" class="element-invisible element-focusable">Skip to main content</a> <div id="mobile-nav" class="navigation"> <div> <div class="panel-pane pane-main-nav-menu"> <ul class="menu"><li class=""><a href="/about">About</a><ul class="menu"><li class="first leaf"><a href="/about/contact">Contact</a></li> <li class="leaf"><a href="/press/contact">Press</a></li> <li class="leaf"><a href="/about/staff" title="Details and contact information for the EFF's staff">People</a></li> <li class="last leaf"><a href="/about/opportunities">Opportunities</a></li> </ul></li> <li class=""><a href="/work">Issues</a><ul class="menu"><li class="first leaf"><a href="/issues/free-speech">Free Speech</a></li> <li class="leaf"><a href="/issues/privacy">Privacy</a></li> <li class="leaf"><a href="/issues/innovation">Creativity and Innovation</a></li> <li class="leaf"><a href="/issues/transparency">Transparency</a></li> <li class="leaf"><a href="/issues/international">International</a></li> <li class="last leaf"><a href="/issues/security">Security</a></li> </ul></li> <li class=""><a href="/updates">Our Work</a><ul class="menu"><li class="first leaf"><a href="/deeplinks">Deeplinks Blog</a></li> <li class="leaf"><a href="/updates?type=press_release">Press Releases</a></li> <li class="leaf"><a href="/updates?type=event">Events</a></li> <li class="leaf"><a href="/pages/legal-cases" title="">Legal Cases</a></li> <li class="leaf"><a href="/updates?type=whitepaper">Whitepapers</a></li> <li class="leaf"><a href="/taxonomy/term/11579/" title="">Podcast</a></li> <li class="last leaf"><a href="https://www.eff.org/about/annual-reports-and-financials" title="">Annual Reports</a></li> </ul></li> <li class=""><a href="https://act.eff.org/">Take Action</a><ul class="menu"><li class="first leaf"><a href="https://act.eff.org/">Action Center</a></li> <li class="leaf"><a href="/fight">Electronic Frontier Alliance</a></li> <li class="last leaf"><a href="/about/opportunities/volunteer">Volunteer</a></li> </ul></li> <li class=""><a href="/pages/tools">Tools</a><ul class="menu"><li class="first leaf"><a href="https://www.eff.org/pages/privacy-badger" title="">Privacy Badger</a></li> <li class="leaf"><a href="https://www.eff.org/pages/surveillance-self-defense" title="">Surveillance Self-Defense</a></li> <li class="leaf"><a href="https://www.eff.org/pages/certbot" title="">Certbot</a></li> <li class="leaf"><a href="https://www.eff.org/pages/atlas-surveillance" title="">Atlas of Surveillance</a></li> <li class="leaf"><a href="https://www.eff.org/pages/cover-your-tracks" title="">Cover Your Tracks</a></li> <li class="leaf"><a href="https://sls.eff.org/" title="">Street Level Surveillance</a></li> <li class="last leaf"><a href="https://github.com/EFForg/apkeep" title="">apkeep</a></li> </ul></li> <li class=""><a href="https://supporters.eff.org/donate/join-eff-today" title="Donate to EFF">Donate</a><ul class="menu"><li class="first leaf"><a href="https://supporters.eff.org/donate/join-eff-today">Donate to EFF</a></li> <li class="leaf"><a href="/givingsociety" title="">Giving Societies</a></li> <li class="leaf"><a href="https://shop.eff.org">Shop</a></li> <li class="leaf"><a href="https://www.eff.org/thanks#organizational_members" title="">Org. Membership</a></li> <li class="leaf"><a href="/helpout">Other Ways to Give</a></li> <li class="last leaf"><a href="/pages/membership-faq" title="Frequently Asked Questions and other information about EFF Memberships.">Membership FAQ</a></li> </ul></li> <li class=""><a href="https://supporters.eff.org/donate/site-m--h" title="Donate to EFF">Donate</a><ul class="menu"><li class="first leaf"><a href="https://supporters.eff.org/donate/site-m--h">Donate to EFF</a></li> <li class="leaf"><a href="https://shop.eff.org" title="">Shop</a></li> <li class="last leaf"><a href="/helpout">Other Ways to Give</a></li> </ul></li> <li class="last leaf"><form class="search-block-form search-site" action="/search/site" method="post" id="search-block-form" accept-charset="UTF-8"><div><div class="container-inline"> <h2 class="element-invisible">Search form</h2> <div class="form-item form-type-textfield form-item-search-block-form"> <label class="element-invisible" for="edit-search-block-form--2">Search </label> <input autocomplete="off" type="text" id="edit-search-block-form--2" name="search_block_form" value="" maxlength="128" class="form-text" /> </div> <div class="form-actions form-wrapper" id="edit-actions"><button aria-label="search" type="submit" name="op"></button></div><input type="hidden" name="form_build_id" value="form-eI_nxGe-iKo7jFBKrj3MA3z-S5L-iTetQWRIUDYN6O0" /> <input type="hidden" name="form_id" value="search_block_form" /> </div> </div></form></li> </ul> </div> </div> <hr/> <div id="mobile-signup"> Email updates on news, actions,<br/> and events in your area. </div> <div id="mobile-signup-button"> <a href="https://eff.org/signup">Join EFF Lists</a> </div> <div id="mobile-footer-bottom"> <div class="panel-pane pane-block pane-menu-menu-footer-bottom"> <ul class="menu"><li class="first leaf"><a href="/copyright">Copyright (CC BY)</a></li> <li class="leaf"><a href="/pages/trademark-and-brand-usage-policy" title="Trademark and Brand Usage Policy">Trademark</a></li> <li class="leaf"><a href="/policy">Privacy Policy</a></li> <li class="last leaf"><a href="/thanks">Thanks</a></li> </ul> </div> </div> </div> <div id="masthead-mobile-wrapper"> <div id="masthead-mobile"> <div class="branding"> <div class="panel-pane pane-page-site-name"> <a href="/">Electronic Frontier Foundation</a> </div> </div> <div class="hamburger"></div> <div class="donate"> <a href="https://supporters.eff.org/donate/site-m--m">Donate</a> </div> </div> </div> <div id="site_banner"> </div> <header id="header"> <div id="page"> <div id="masthead-wrapper"> <div id="masthead"> <div class="branding"> <div class="panel-pane pane-page-site-name"> <a href="/">Electronic Frontier Foundation</a> </div> </div> <div id="main-menu-nav" class="navigation"> <div> <div class="panel-pane pane-main-nav-menu"> <ul class="menu"><li class=""><a href="/about">About</a><ul class="menu"><li class="first leaf"><a href="/about/contact">Contact</a></li> <li class="leaf"><a href="/press/contact">Press</a></li> <li class="leaf"><a href="/about/staff" title="Details and contact information for the EFF's staff">People</a></li> <li class="last leaf"><a href="/about/opportunities">Opportunities</a></li> </ul></li> <li class=""><a href="/work">Issues</a><ul class="menu"><li class="first leaf"><a href="/issues/free-speech">Free Speech</a></li> <li class="leaf"><a href="/issues/privacy">Privacy</a></li> <li class="leaf"><a href="/issues/innovation">Creativity and Innovation</a></li> <li class="leaf"><a href="/issues/transparency">Transparency</a></li> <li class="leaf"><a href="/issues/international">International</a></li> <li class="last leaf"><a href="/issues/security">Security</a></li> </ul></li> <li class=""><a href="/updates">Our Work</a><ul class="menu"><li class="first leaf"><a href="/deeplinks">Deeplinks Blog</a></li> <li class="leaf"><a href="/updates?type=press_release">Press Releases</a></li> <li class="leaf"><a href="/updates?type=event">Events</a></li> <li class="leaf"><a href="/pages/legal-cases" title="">Legal Cases</a></li> <li class="leaf"><a href="/updates?type=whitepaper">Whitepapers</a></li> <li class="leaf"><a href="/taxonomy/term/11579/" title="">Podcast</a></li> <li class="last leaf"><a href="https://www.eff.org/about/annual-reports-and-financials" title="">Annual Reports</a></li> </ul></li> <li class=""><a href="https://act.eff.org/">Take Action</a><ul class="menu"><li class="first leaf"><a href="https://act.eff.org/">Action Center</a></li> <li class="leaf"><a href="/fight">Electronic Frontier Alliance</a></li> <li class="last leaf"><a href="/about/opportunities/volunteer">Volunteer</a></li> </ul></li> <li class=""><a href="/pages/tools">Tools</a><ul class="menu"><li class="first leaf"><a href="https://www.eff.org/pages/privacy-badger" title="">Privacy Badger</a></li> <li class="leaf"><a href="https://www.eff.org/pages/surveillance-self-defense" title="">Surveillance Self-Defense</a></li> <li class="leaf"><a href="https://www.eff.org/pages/certbot" title="">Certbot</a></li> <li class="leaf"><a href="https://www.eff.org/pages/atlas-surveillance" title="">Atlas of Surveillance</a></li> <li class="leaf"><a href="https://www.eff.org/pages/cover-your-tracks" title="">Cover Your Tracks</a></li> <li class="leaf"><a href="https://sls.eff.org/" title="">Street Level Surveillance</a></li> <li class="last leaf"><a href="https://github.com/EFForg/apkeep" title="">apkeep</a></li> </ul></li> <li class=""><a href="https://supporters.eff.org/donate/join-eff-today" title="Donate to EFF">Donate</a><ul class="menu"><li class="first leaf"><a href="https://supporters.eff.org/donate/join-eff-today">Donate to EFF</a></li> <li class="leaf"><a href="/givingsociety" title="">Giving Societies</a></li> <li class="leaf"><a href="https://shop.eff.org">Shop</a></li> <li class="leaf"><a href="https://www.eff.org/thanks#organizational_members" title="">Org. Membership</a></li> <li class="leaf"><a href="/helpout">Other Ways to Give</a></li> <li class="last leaf"><a href="/pages/membership-faq" title="Frequently Asked Questions and other information about EFF Memberships.">Membership FAQ</a></li> </ul></li> <li class=""><a href="https://supporters.eff.org/donate/site-m--h" title="Donate to EFF">Donate</a><ul class="menu"><li class="first leaf"><a href="https://supporters.eff.org/donate/site-m--h">Donate to EFF</a></li> <li class="leaf"><a href="https://shop.eff.org" title="">Shop</a></li> <li class="last leaf"><a href="/helpout">Other Ways to Give</a></li> </ul></li> <li class="last leaf"><form class="search-block-form search-site" action="/search/site" method="post" id="search-block-form" accept-charset="UTF-8"><div><div class="container-inline"> <h2 class="element-invisible">Search form</h2> <div class="form-item form-type-textfield form-item-search-block-form"> <label class="element-invisible" for="edit-search-block-form--2">Search </label> <input autocomplete="off" type="text" id="edit-search-block-form--2" name="search_block_form" value="" maxlength="128" class="form-text" /> </div> <div class="form-actions form-wrapper" id="edit-actions"><button aria-label="search" type="submit" name="op"></button></div><input type="hidden" name="form_build_id" value="form-eI_nxGe-iKo7jFBKrj3MA3z-S5L-iTetQWRIUDYN6O0" /> <input type="hidden" name="form_id" value="search_block_form" /> </div> </div></form></li> </ul> </div> </div> <div id="search-box"> </div> </div> </div> </div> </div> </header> <noscript> <div class="primary-nav-nojs"> </div> </noscript>  <div class="above-banner"> <div class="panel-pane pane-page-title"> <h1>Security Vulnerability Disclosure Program</h1> </div> <div class="panel-pane pane-eff-content-type"> PROJECT </div> </div>  <div class="banner-wrapper"> <div class="panel-pane pane-banner"> <div></div> </div> </div> <div id="main-content"> <div id="breadcrumb"> </div> <div class="main-column"> <div class="panel-pane pane-page-title"> <h1>Security Vulnerability Disclosure Program</h1> </div> <div class="panel-pane pane-page-content"> <div class="long-read"> <div class="onecol column content-wrapper"> </div> <div class="onecol column content-banner"> </div> <div class="onecol column content-wrapper"> <div class="column main-content"> <div class="panel-pane pane-entity-field pane-node-body"> <div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><em>Also check out our <a href="/security/hall-of-fame">EFF Security Hall of Fame</a> to see the heroes that have already reported security vulnerabilities to us!</em></p> <h3>Overview</h3> <p>EFF is committed to protecting the privacy and security of users of our software tools. Our Vulnerability Disclosure Program is intended to minimize the impact any security flaws have on our tools or their users. EFF's Vulnerability Disclosure Program covers select software partially or primarily written by EFF.</p> <h3 id="scope-software-written-by-eff">Scope: Software Written by EFF</h3> <p>EFF's Vulnerability Disclosure Program applies to security vulnerabilities discovered in any of the following software:</p> <ul> <li><a href="https://github.com/EFForg/https-everywhere">HTTPS Everywhere (for Chrome and Firefox)</a></li> <li><a href="https://github.com/EFForg/privacybadgerchrome">Privacy Badger</a></li> <li><a href="https://github.com/certbot/certbot">Certbot</a></li> <li><a href="https://github.com/letsencrypt/boulder">Boulder</a></li> </ul> <p>In order to qualify, the vulnerability must exist in the latest public release (including officially released public betas) of the software. Only security vulnerabilities will qualify. We would love it if people reported other bugs via the appropriate channels, but since the purpose of this program is to fix security vulnerabilities, only bugs that lead to security vulnerabilities will be eligible for rewards. Other bugs will be accepted at our discretion.</p> <h3 id="scope-software-and-systems-eff-uses"></h3> <h3 id="guidelines">Guidelines</h3> <p>Please adhere to the following guidelines in order to be eligible for rewards under this disclosure program:</p> <ul> <li>Do not permanently modify or delete EFF-hosted data.</li> <li>Do not intentionally access non-public EFF data any more than is necessary to demonstrate the vulnerability.</li> <li>Do not DDoS or otherwise disrupt, interrupt or degrade our internal or external services.</li> <li>Do not share confidential information obtained from EFF, including but not limited to member or donor payment information, with any third party.</li> <li>Social engineering is out of scope. Do not send phishing emails to, or use other social engineering techniques against, anyone, including EFF staff, members, vendors, or partners.</li> </ul> <p>In addition, please allow EFF at least 90 days to fix the vulnerability before publicly discussing or blogging about it. EFF believes that security researchers have a First Amendment right to report their research and that disclosure is highly beneficial, and understands that it is a highly subjective question of when and how to hold back details to mitigate the risk that vulnerability information will be misused. If you believe that earlier disclosure is necessary, please let us know so that we can begin a conversation.</p> <h3 id="reporting">Reporting</h3> <p>Just as important as discovering security flaws is reporting the findings so that users can protect themselves and vendors can repair their products. Public disclosure of security information enables informed consumer choice and inspires vendors to be truthful about flaws, repair vulnerabilities, and build more secure products. Disclosure and peer review advances the state of the art in security. Researchers can figure out where new technologies need to be developed, and the information can help policymakers understand where problems tend to occur.</p> <p>On the other hand, vulnerability information can give attackers who were not otherwise sophisticated enough to find the problem on their own the very information they need to exploit a security hole in a computer or system and cause harm. Therefore we ask that you privately report the vulnerability to EFF before public disclosure.</p> <p>Send an email to <a href="mailto:vulnerabilities@eff.org">vulnerabilities@eff.org</a> using the <a href="https://www.eff.org/files/vulnerabilities_at_eff.txt">GPG key located here</a>, with information about the vulnerability and detailed steps on how to replicate it. Submissions that include detailed information on how to fix the corresponding vulnerability are more likely to receive more valuable rewards.</p> <p>If you do not want to be publicly thanked on our <a href="https://www.eff.org/security/hall-of-fame">EFF Security Hall of Fame page</a> (or elsewhere), please let us know that you want your submission to be confidential in your report email. We can still provide rewards for confidential submissions, if you like.</p> <p>We are also happy to accept anonymous vulnerability reports, but of course we can't send you our thanks if you report a vulnerability anonymously.</p> <p>We will make every effort to respond to valid reports within seven business days.</p> <p>The validity of a vulnerability will be judged at the sole discretion of EFF.</p> <p><a href="https://www.eff.org/issues/coders/vulnerability-reporting-faq">Coders’ Rights Project Vulnerability Reporting FAQ</a></p> <h3 id="rewards">Rewards</h3> <p>Not all reported issues may qualify for a reward. Rewards are awarded at EFF's sole discretion. As a member-driven nonprofit we are unable to afford cash bounties (sorry!), but can offer non-cash rewards, including:</p> <ul> <li>Public acknowledgement on our <a href="https://www.eff.org/security/hall-of-fame">EFF Security Hall of Fame page</a>,</li> <li><a href="https://supporters.eff.org/shop">EFF gear (stickers, etc.)</a>,</li> <li>Complimentary <a href="https://supporters.eff.org/sites/all/modules/custom/eff_donate_pages/html/membership_details.html">EFF memberships</a>,</li> <li>Opportunities to tour the EFF office and meet with EFF staff, and</li> <li>Complimentary tickets to EFF events like the <a href="https://www.eff.org/awards/past-winners">EFF Awards</a> for especially severe vulnerabilities.</li> </ul> <p>If you would like a particular reward (e.g., you already have a t-shirt and would prefer a sticker pack), please let us know when you report the vulnerability. While the reward EFF provides in exchange for disclosing a vulnerability under this policy will be up to the sole discretion of EFF, we will certainly take your request into consideration.</p> <p>Please note that in some cases we will be unable to provide a physical reward if the shipping cost is prohibitively expensive, or if we have had difficulties shipping to your area before. In particular, at this time we are unable to ship physical rewards to India and Pakistan.</p> <p>Only the first report we receive about a given vulnerability will be rewarded. We cannot send rewards where prohibited by law (i.e. North Korea, Cuba, etc.).</p> <h3 id="questions">Questions</h3> <p>If you have any questions about our vulnerability disclosure policy, please email <a href="mailto:vulnerabilities@eff.org">vulnerabilities@eff.org</a> (<a href="https://www.eff.org/files/vulnerabilities_at_eff.txt">GPG key</a>).</p> </div></div></div> </div> <div class="panel-pane pane-node-links link-wrapper"> </div> </div> <div class="column side-content"> </div> </div> <div class="onecol column content-footer"> </div> </div> </div> </div> <div class="clear-block"></div> </div> <p class="faq-toc"><a href="#main-content">Back to top</a></p> </div> <div id="footer"> <div class="panel-pane pane-footer-logo"> <a href="https://www.eff.org"><img src="https://www.eff.org/sites/all/modules/custom/eff_library/images/eff-logo-1color-blue.svg" alt="EFF Home" /></a> </div> <div class="panel-pane pane-menu-tree pane-menu-footer-social-links"> <h2 class="pane-title">Follow EFF:</h2> <div class="menu-block-wrapper menu-block-ctools-menu-footer-social-links-1 menu-name-menu-footer-social-links parent-mlid-0 menu-level-1"> <ul class="menu"><li class="first leaf menu-mlid-13408"><a href="https://twitter.com/eff" title="EFF on X">x</a></li> <li class="leaf menu-mlid-13409"><a href="https://www.facebook.com/eff" title="EFF on facebook">facebook</a></li> <li class="leaf menu-mlid-13410"><a href="https://www.instagram.com/efforg/" title="EFF on Instagram">instagram</a></li> <li class="leaf menu-mlid-13411"><a href="https://www.youtube.com/efforg" title="EFF on YouTube">youtube</a></li> <li class="leaf menu-mlid-13412"><a href="https://www.flickr.com/photos/electronicfrontierfoundation">flicker</a></li> <li class="leaf menu-mlid-16445"><a href="https://www.linkedin.com/company/EFF" title="">linkedin</a></li> <li class="leaf menu-mlid-16459"><a href="https://mastodon.social/@eff" title="" rel="me">mastodon</a></li> <li class="leaf menu-mlid-16460"><a href="https://www.tiktok.com/@efforg" title="">tiktok</a></li> <li class="last leaf menu-mlid-16475"><a href="https://www.threads.net/@efforg" title="">threads</a></li> </ul></div> </div> <div class="panel-pane pane-custom pane-1"> <p>Check out our 4-star rating on <a href="https://www.charitynavigator.org/ein/043091431" target="_blank" rel="noopener noreferrer">Charity Navigator</a>.</p> </div> <div class="panel-pane pane-block pane-menu-menu-contact-footer-menu"> <h2 class="pane-title">Contact</h2> <ul class="menu"><li class="first leaf"><a href="/about/contact">General</a></li> <li class="leaf"><a href="/pages/legal-assistance">Legal</a></li> <li class="leaf active-trail"><a href="/security" class="active-trail active">Security</a></li> <li class="leaf"><a href="/about/contact">Membership</a></li> <li class="last leaf"><a href="/press/contact">Press</a></li> </ul> </div> <div class="panel-pane pane-block pane-menu-menu-about-footer-menu"> <h2 class="pane-title">About</h2> <ul class="menu"><li class="first leaf"><a href="/event" title="">Calendar</a></li> <li class="leaf"><a href="/about/opportunities/volunteer" title="">Volunteer</a></li> <li class="leaf"><a href="/victories" title="">Victories</a></li> <li class="leaf"><a href="/about/history" title="">History</a></li> <li class="leaf"><a href="/about/opportunities/interns" title="">Internships</a></li> <li class="leaf"><a href="https://www.paycomonline.net/v4/ats/web.php/jobs?clientkey=28620672D234BF368306CEB4A2746667" title="">Jobs</a></li> <li class="leaf"><a href="/about/staff" title="">Staff</a></li> <li class="last leaf"><a href="/pages/effs-diversity-statement" title="">Diversity & Inclusion</a></li> </ul> </div> <div class="panel-pane pane-block pane-menu-menu-footer-menu-issues"> <h2 class="pane-title">Issues</h2> <ul class="menu"><li class="first leaf"><a href="/issues/free-speech">Free Speech</a></li> <li class="leaf"><a href="/issues/privacy">Privacy</a></li> <li class="leaf"><a href="/issues/innovation">Creativity & Innovation</a></li> <li class="leaf"><a href="/issues/transparency">Transparency</a></li> <li class="leaf"><a href="/issues/international">International</a></li> <li class="last leaf"><a href="/issues/security">Security</a></li> </ul> </div> <div class="panel-pane pane-block pane-menu-menu-footer-updates-menu"> <h2 class="pane-title">Updates</h2> <ul class="menu"><li class="first leaf"><a href="/updates?type=blog">Blog</a></li> <li class="leaf"><a href="/updates?type=press_release">Press Releases</a></li> <li class="leaf"><a href="/updates?type=event">Events</a></li> <li class="leaf"><a href="https://www.eff.org/cases" title="">Legal Cases</a></li> <li class="leaf"><a href="/updates?type=whitepaper">Whitepapers</a></li> <li class="last leaf"><a href="https://www.eff.org/effector" title="">EFFector Newsletter</a></li> </ul> </div> <div class="panel-pane pane-block pane-menu-menu-footer-press-menu"> <h2 class="pane-title">Press</h2> <ul class="menu"><li class="first last leaf"><a href="/press/contact">Press Contact</a></li> </ul> </div> <div class="panel-pane pane-block pane-menu-menu-footer-donate-menu"> <h2 class="pane-title">Donate</h2> <ul class="menu"><li class="first leaf"><a href="https://supporters.eff.org/donate/donate-df" title="">Join or Renew Membership Online</a></li> <li class="leaf"><a href="https://supporters.eff.org/donate/donate-df" title="">One-Time Donation Online</a></li> <li class="leaf"><a href="/givingsociety" title="">Giving Societies</a></li> <li class="leaf"><a href="https://shop.eff.org">Shop</a></li> <li class="last leaf"><a href="/helpout">Other Ways to Give</a></li> </ul> </div> </div> <div id="footer-bottom"> <div class="panel-pane pane-block pane-menu-menu-footer-bottom"> <ul class="menu"><li class="first leaf"><a href="/copyright">Copyright (CC BY)</a></li> <li class="leaf"><a href="/pages/trademark-and-brand-usage-policy" title="Trademark and Brand Usage Policy">Trademark</a></li> <li class="leaf"><a href="/policy">Privacy Policy</a></li> <li class="last leaf"><a href="/thanks">Thanks</a></li> </ul> </div> </div> <a href="/librejs/jslicense" rel="jslicense" style="display: none">JavaScript license information</a><div id="piwik-noscript"></div><noscript><img style="position: absolute" src="https://anon-stats.eff.org/js/?idsite=1&rec=1&url=https%3A//www.eff.org/security&action_name=Security%20Vulnerability%20Disclosure%20Program%20%7C%20Electronic%20Frontier%20Foundation&dimension2=panelized_page&dimension3=89201" width="0" height="0" alt="" /></noscript> <script src="https://www.eff.org/files/js/js_lMrfy51aI91p2ZAdgpEs4r3pZi-E809QDyWJpbMpnTw.js"></script> </body> </html>