Voluntarily Protecting the Internet: The GDI Foundation Identifies and Reports Vulnerabilities via Responsible Disclosures

Gdi Foundation Is Voluntarily Protecting The Internet

TL; DR: The GDI Foundation is a nonprofit organization dedicated to defending the free and open internet by detecting risks and vulnerabilities. The international humanitarian group, staffed solely by volunteers, operates with a focus on responsible disclosure to ensure ethical standards are met. With a goal to enable smarter collaboration and boost growth through internship programs, the GDI foundation is working to further its mission to safeguard the well-being of our online communities.

In an era where villains are as prolific online as they are in comic books, it’s encouraging to know that an unheralded group of internet superheroes is working to protect us from our enemies.

They’re known as the GDI Foundation, an international humanitarian organization operating under a sworn oath to protect the life and dignity of anyone who is at risk online. The group, made up entirely of volunteers, is on a mission to defend the free and open internet by identifying vulnerabilities and providing free advice on solutions.

GDI logo

The GDI Foundation is protecting an open internet.

“In 2018, our group of only 21 volunteers reported more than 668,000 vulnerable systems, of which half a million were repaired,” said Victor Gervers, Founder of the GDI Foundation. “Comparatively, we report more at-risk systems in one year than all reported bug bounties combined.”

As a nonprofit, the organization depends on donations, sponsorships, and participating members and is not driven in any manner by financial gain. The foundation also maintains a position of neutrality and impartiality in that it does not discriminate based on nationality, race, political opinion, or religious belief, and may not take sides in hostilities.

To ensure its operation adheres to ethical standards, the GDI Foundation addresses security issues through a responsible disclosure process that gives individuals and businesses a chance to remedy problems before they are exposed publicly.

Moving forward, the GDI Foundation aims to enable smarter collaboration and boost growth through internship programs, furthering its mission to safeguard the well-being of our online communities.

An International Nonprofit Defending the Free & Open Internet

Victor launched the GDI Foundation in 2016 to kick off an Indiegogo-backed effort, known at the time as PROJECT366, to make the internet a safer place.

“The idea was to start looking for data leaks and vulnerable systems for 15 hours per day using any source available, including crawlers like Shodan, to find as many affected systems as quickly as possible and report them to the owner to get them fixed,” Victor said. “By the end of the year, I reported more than 600 systems, which was impressive for a one-man operation.”

The project quickly captured the interest of others in the security and ethical hacking space who were interested in lending their skills to the cause. Together, Victor and his growing team reviewed ways to accelerate progress. By 2017, the operation included nine volunteers, who cumulatively reported 126,000 security issues that year through responsible disclosures — 125,000 of which were fixed.

Five locks, one red, against a background world map

The international humanitarian group operates with a focus on ethical standards.

By 2018, exposure in the mainstream media had helped the GDI Foundation gain some notoriety, which Victor credits for increasing response rates. He also said that, because there are no national boundaries when it comes to data security, the organization has learned how to improve response rates by tailoring emails to suit varying cultural norms.

“Our emails are based on canned responses, but they are not one-size-fits-all,” he said. “For example, if you report something in Japan, the way you present the news should be as helpful and polite as possible.”

Whoever receives the email should be able to quickly understand exactly what the issue is and how it can be properly resolved. “In doing this for years and years, we have created an effective recipe for how to report vulnerabilities,” Victor said. “And — knock on wood — for all the things that we have reported, no organization has, for instance, brought forth a lawsuit, so apparently we’re doing it right.”

Smart Collaboration and Expansion Through Internship Programs

Victor said the GDI Foundation is always proactive about finding efficiencies that will allow the organization to make the internet safer. Currently, the group is looking to improve collaboration with security researchers and volunteers to ease training as participation increases.

“We want to find ways to collaborate smarter so that we can really prevent our economies from being exploited,” he said. “The goal is to upscale to 200 people or more and provide a platform where they can learn from each other.”

Cybersecurity concept

The rapidly growing organization is finding innovative solutions for streamlining collaboration.

Sanyam Jain, Security Researcher at the GDI Foundation, is seeking a wide range of talent, from researchers to white hat hackers. He noted that the organization vets people based on skill, not just qualifications or degrees. “We have opened up a lot of internships for malware and exploit developers that will be able to help people patch their systems; we can release decryptors for them, too,” Sanyam said.

He’s also looking for security researchers. Throughout the years, the GDI Foundation has identified a problem where researchers identify vulnerabilities but are unsuccessful when it comes to communicating them. The organization believes it can step in to better bridge that gap with its insight on how certain companies and countries react to vulnerability reports.

“We have several open internships for researchers, and if they find something, we are taking the initiative to disclose it responsibly,” Sanyam said.

A Focus on Ensuring an Ethical, Responsible Disclosure Process

According to Victor, the majority of people who joined the foundation in 2017 did so because their interests lie in research, not the responsibility of communicating or cleaning up vulnerabilities.

“They would try to get in contact with a company or organization, get frustrated, and say, ‘If they don’t listen, I will make a full public disclosure,’” he said. “That’s exactly the part that we want to prevent.”

The other problem, he said, is that many researchers keep their projects extremely private in case others are pursuing similar work. When multiple researchers begin racing to the finish, they are more likely to take shortcuts in terms of responsible disclosure.

“If we can facilitate communication between those parties and organizations that are being affected by such research, I think we can really make a difference,” Victor said.

Other researchers fear speaking out due to oppressive government or corporate policies. To that end, the GDI Foundation vows to allow any researchers to remain anonymous upon request.

“There have been several times that researchers fear reporting vulnerabilities and have asked to remain anonymous, and we do not disclose their information in any way,” Victor said.

Future Plans: The Launch of a Cooperation Portal

Next on the GDI Foundation’s agenda is the creation of a user portal designed to facilitate teamwork and streamline operations as membership continues to grow. The organization is looking forward to providing training and education through the portal to expedite onboarding.

“We are still using Google Spreadsheets to keep track of our volunteers, but now it’s time to move on to a big collaboration platform,” he said.

Although there’s no monetary reward for participation, Victor said that members often benefit from the opportunity to build experience in security and network with professionals in the industry. Victor said the GDI Foundation is also planning initiatives to help them do so.

“We have two volunteers from 2017 in different age groups who were working in IT, but didn’t have a securities job,” he said. “They were actively helping with MongoDB issues — one was building honey pots to detect bad traffic, and the other took charge of social media to increase collaboration.”

Today, both volunteers serve as security professionals, with one earning the role as a director at a prominent security company.

“You can build a resumé based on volunteer work, so we envision something like LinkedIn where you can track a volunteer’s progress,” he said.