The European Union (EU) is rolling out a bug bounty scheme on some of the most popular free and open source software around in a bid to ultimately make the internet a safer place.
A total of €851,000 (not too far from US$1 million) is up for grabs as rewards for identifying security vulnerabilities in 15 widely used software projects (a full breakdown is shown below). A portion of the cash-for-bugs scheme is kicking off today, while nearly all others are scheduled to begin later this month.
The program was announced by Julia Reda, a member of the European Parliament, who – together with fellow EU parliamentarian Max Andersson – has spearheaded the Free and Open Source Software Audit (FOSSA) project since 2014.
Reda and Andersson’s initiative came in response to the discovery of Heartbleed, a vulnerability in the cryptographic software library OpenSSL that sent shockwaves throughout the IT community in 2014.
“The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure. Like many other organisations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things,” writes Reda.
| Software project | Bug bounty (EURO) | Start date (DD/MM/YYYY) | End date (DD/MM/YYYY) | Bug bounty platform |
|---|---|---|---|---|
| Filezilla | 58,000 | 7/1/2019 | 15/08/2019 | HackerOne |
| Apache Kafka | 58,000 | 7/1/2019 | 15/08/2019 | HackerOne |
| Notepad++ | 71,000 | 7/1/2019 | 15/08/2019 | HackerOne |
| PuTTY | 90,000 | 7/1/2019 | 15/12/2019 | HackerOne |
| VLC Media Player |
58,000 | 7/1/2019 | 15/08/2019 | HackerOne |
| FLUX TL | 34,000 | 15/01/2019 | 15/10/2019 | Intigriti/Deloitte |
| KeePass | 71,000 | 15/01/2019 | 31/07/2019 | Intigriti/Deloitte |
| 7-zip | 58,000 | 30/01/2019 | 15/04/2020 | Intigriti/Deloitte |
| Digital Signature Services (DSS) | 25,000 | 30/01/2019 | 15/10/2019 | Intigriti/Deloitte |
| Drupal | 89,000 | 30/01/2019 | 15/10/2020 | Intigriti/Deloitte |
| GNU C Library (glibc) | 45,000 | 30/01/2019 | 15/12/2019 | Intigriti/Deloitte |
| PHP Symfony | 39,000 | 30/01/2019 | 15/10/2019 | Intigriti/Deloitte |
| Apache Tomcat | 39,000 | 30/01/2019 | 15/10/2019 | Intigriti/Deloitte |
| WSO2 | 58,000 | 30/01/2019 | 15/04/2020 | Intigriti/Deloitte |
| midPoint | 58,000 | 1/3/2019 | 15/08/2019 | HackerOne |
The EU's bug bounty scheme at a glance (source: juliareda.eu)
The bounties will be determined by “the severity of the issue uncovered and the relative importance of the software”, said Reda. The scheme will be open for most of this year and, in some cases, even until way into 2020, leaving ample time for poring over the code and routing out potential flaws. Unlike many other bug bounty programs that are invite-only, this initiative is open to everybody.
The tools that are set to be accorded quite some scrutiny were determined by a screening of open software in use by the European Commission, in conjunction with an analysis of how the respective developers come to grips with security and with a public vote – which were all part of FOSSA’s pilot run in 2015 and 2016.
The screening found that open source software accounted for 18 percent of software items and for 16 percent of software instances in use by the EU’s executive arm.
Meanwhile, the public vote selected the KeePass password manager and the Apache web server for security audits. The subsequent code reviews, which were conducted by engineers contracted by the Commission, found no critical or high-risk security holes in either software: KeePass was found to contain five medium- and three low-risk flaws whereas in Apache two low-risk vulnerabilities were spotted.
As part of FOSSA’s second stage in 2017, the Commission announced a proof-of-concept bug bounty on VLC Media Player, a piece of software installed on every workstation at the Commission.
