EU offers bug bounties on popular open source software | WeLiveSecurity

EU offers bug bounties on popular open source software

The program with a prize pool of almost US$1 million aims to leverage the ‘power of the crowd’ in order to prevent another Heartbleed

The program with a prize pool of almost US$1 million aims to leverage the ‘power of the crowd’ in order to prevent another Heartbleed

The European Union (EU) is rolling out a bug bounty scheme on some of the most popular free and open source software around in a bid to ultimately make the internet a safer place.

A total of €851,000 (not too far from US$1 million) is up for grabs as rewards for identifying security vulnerabilities in 15 widely used software projects (a full breakdown is shown below). A portion of the cash-for-bugs scheme is kicking off today, while nearly all others are scheduled to begin later this month.

The program was announced by Julia Reda, a member of the European Parliament, who – together with fellow EU parliamentarian Max Andersson – has spearheaded the Free and Open Source Software Audit (FOSSA) project since 2014.

Reda and Andersson’s initiative came in response to the discovery of Heartbleed, a vulnerability in the cryptographic software library OpenSSL that sent shockwaves throughout the IT community in 2014.

“The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure. Like many other organisations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things,” writes Reda.

Software projectBug bounty (EURO)Start date (DD/MM/YYYY)End date (DD/MM/YYYY)
Bug bounty platform
Filezilla58,000
7/1/2019
15/08/2019
HackerOne
Apache Kafka
58,000
7/1/2019
15/08/2019
HackerOne
Notepad++
71,000
7/1/2019
15/08/2019
HackerOne
PuTTY
90,000
7/1/2019
15/12/2019
HackerOne
VLC Media Player
58,000
7/1/2019
15/08/2019
HackerOne
FLUX TL
34,000
15/01/2019
15/10/2019
Intigriti/Deloitte
KeePass
71,000
15/01/2019
31/07/2019
Intigriti/Deloitte
7-zip
58,000
30/01/2019
15/04/2020
Intigriti/Deloitte
Digital Signature Services (DSS)
25,000
30/01/2019
15/10/2019
Intigriti/Deloitte
Drupal
89,000
30/01/2019
15/10/2020
Intigriti/Deloitte
GNU C Library (glibc)45,000
30/01/2019
15/12/2019
Intigriti/Deloitte
PHP Symfony
39,000
30/01/2019
15/10/2019
Intigriti/Deloitte
Apache Tomcat
39,000
30/01/2019
15/10/2019Intigriti/Deloitte
WSO2
58,000
30/01/2019
15/04/2020
Intigriti/Deloitte
midPoint
58,000
1/3/2019
15/08/2019
HackerOne

The EU’s bug bounty scheme at a glance (source: juliareda.eu)

The bounties will be determined by “the severity of the issue uncovered and the relative importance of the software”, said Reda. The scheme will be open for most of this year and, in some cases, even until way into 2020, leaving ample time for poring over the code and routing out potential flaws. Unlike many other bug bounty programs that are invite-only, this initiative is open to everybody.

The tools that are set to be accorded quite some scrutiny were determined by a screening of open software in use by the European Commission, in conjunction with an analysis of how the respective developers come to grips with security and with a public vote – which were all part of FOSSA’s pilot run in 2015 and 2016.

The screening found that open source software accounted for 18 percent of software items and for 16 percent of software instances in use by the EU’s executive arm.

Meanwhile, the public vote selected the KeePass password manager and the Apache web server for security audits. The subsequent code reviews, which were conducted by engineers contracted by the Commission, found no critical or high-risk security holes in either software: KeePass was found to contain five medium- and three low-risk flaws whereas in Apache two low-risk vulnerabilities were spotted.

As part of FOSSA’s second stage in 2017, the Commission announced a proof-of-concept bug bounty on VLC Media Player, a piece of software installed on every workstation at the Commission.

Discussion