Europe Announces Bug Bounty Program for Popular Free Software
In January the European Commission is launching new bug bounties on Free Software projects that the EU institutions rely on.
A bug bounty is a prize for people who actively search for security issues. The amount of the bounty depends on the severity of the issue uncovered and the relative importance of the software.
The program is part of the Free and Open Source Software Audit project, FOSSA. FOSSA launched in 2014, when it identified security vulnerabilities in important Free Software projects. One of the issues was found in the Open Source encryption library OpenSSL.
Like many other organisations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things.
In 2015-2016, the European Commission inventorized what Free Software it relies on. It also analyzed how the software developers handle security in their projects. And finally, two projects (web server Apache and password manager KeePass) received a security audit.
In 2017, the project was extended for three more years. This time, it was added the carrying out of Bug Bounties on important Free Software projects to the list of measures put in place to increase the security of Free and Open Source Software.
A series of Hackathons were also planned that would allow software developers from within the EU institutions, and developers from Free Software projects, to work more closely together and to collaborate directly on their software.
Coming to more recent developments, in January, the EU is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on. The software projects chosen were previously identified as candidates in the inventories and a public survey. Rewards are ranging from €17,000 ($19,400) to €90,000 ($103,000).
The full list of programs that will be funded by the EC from January includes a number of popular tools: 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, Notepad++, PuTTY, PHP Symfony, VLC Media Player and WSO2. In March, midpoint will be added to the list.
Here is the list of Software projects and the bug bounties:
| Software Project | Bug Bounty Amount (Euro) | Start Date | End Date | Bug Bounty Platform |
|---|---|---|---|---|
| Filezilla | 58.000,00 € | 07/01/2019 | 15/08/2019 | HackerOne |
| Apache Kafka | 58.000,00 € | 07/01/2019 | 15/08/2019 | HackerOne |
| Notepad++ | 71.000,00 € | 07/01/2019 | 15/08/2019 | HackerOne |
| PuTTY | 90.000,00 € | 07/01/2019 | 15/12/2019 | HackerOne |
| VLC Media Player | 58.000,00 € | 07/01/2019 | 15/08/2019 | HackerOne |
| FLUX TL | 34.000,00 € | 15/01/2019 | 15/10/2019 | Intigriti/Deloitte |
| KeePass | 71.000,00 € | 15/01/2019 | 31/07/2019 | Intigriti/Deloitte |
| 7-zip | 58.000,00 € | 30/01/2019 | 15/04/2020 | Intigriti/Deloitte |
| Digital Signature Services (DSS) | 25.000,00 € | 30/01/2019 | 15/10/2019 | Intigriti/Deloitte |
| Drupal | 89.000,00 € | 30/01/2019 | 15/10/2020 | Intigriti/Deloitte |
| GNU C Library (glibc) | 45.000,00 € | 30/01/2019 | 15/12/2019 | Intigriti/Deloitte |
| PHP Symfony | 39.000,00 € | 30/01/2019 | 15/10/2019 | Intigriti/Deloitte |
| Apache Tomcat | 39.000,00 € | 30/01/2019 | 15/10/2019 | Intigriti/Deloitte |
| WSO2 | 58.000,00 € | 30/01/2019 | 15/04/2020 | Intigriti/Deloitte |
| midPoint | 58.000,00 € | 01/03/2019 | 15/08/2019 | HackerOne |
