SEARCH FINANCIAL SERVICES INFRASTRUCTURE SECURITY SCIENCE INTERVIEWS

 

     

In January, the EU starts running Bug Bounties on Free and Open Source Software

By EU Member of Parliament Julia Reda

January 2. 2018

It’s been a while since I last wrote about the Free and Open Source Software Audit project, FOSSA, so let me start with a quick recap that you can safely skip if you’re already familiar with the project.

What happened so far

In 2014, security vulnerabilities were found in important Free Software projects. One of the issues was found in the Open Source encryption library OpenSSL. This type of software is called a library because it provides standard functions to a huge number of other softwares. And they subsequently suffered from the issue.

Since OpenSSL is also very important for the encryption of Internet traffic, it is also highly relevant to the protection of your personal communication, or your payment details when you’re shopping online.

The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure. Like many other organisations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things. But the Internet is not only crucial to our economy and our administration. It is the infrastructure that runs our every day lives. It is the means we use to retrieve information and to be politically active.

That is why my colleague Max Andersson and I started the Free and Open Source Software Audit project: FOSSA.

FOSSA

In 2015-2016, the first iteration of the FOSSA project, the European Commission, that runs the project for us, has inventorized what Free Software it relies on. It also analyzed how the software developers handle security in their projects. And finally, two projects (web server Apache and password manager KeePass) received a security audit.

FOSSA 2

In 2017, the project was extended for three more years. This time, we decided to go one step further and added the carrying out of Bug Bounties on important Free Software projects to the list of measures we wanted to put in place to increase the security of Free and Open Source Software.

We also planned a series of Hackathons that will allow software developers from within the EU institutions, and developers from Free Software projects, to work more closely together and to collaborate directly on their software.

FOSSA Bug Bounties

In January, the EU is launching bug bounties on Free Software projects to increase the security of the Internet!
Tweet this!

In January the European Commission is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on. A bug bounty is a prize for people who actively search for security issues. The amount of the bounty depends on the severity of the issue uncovered and the relative importance of the software. The software projects chosen were previously identified as candidates in the inventories and a public survey.

You can contribute to the projects below by analysing the software, and by submitting any bugs or vulnerabilities you find to the involved bug bounty platforms. Here is the list of Software projects and the bug bounties: 

Software Project Bug Bounty Amount (Euro) Start Date End Date Bug Bounty Platform
Filezilla 58.000,00 € 07/01/2019 15/08/2019 HackerOne
Apache Kafka 58.000,00 € 07/01/2019 15/08/2019 HackerOne
Notepad++ 71.000,00 € 07/01/2019 15/08/2019 HackerOne
PuTTY 90.000,00 € 07/01/2019 15/12/2019 HackerOne
VLC Media Player 58.000,00 € 07/01/2019 15/08/2019 HackerOne
FLUX TL 34.000,00 € 15/01/2019 15/10/2019 Intigriti/Deloitte
KeePass 71.000,00 € 15/01/2019 31/07/2019 Intigriti/Deloitte
7-zip 58.000,00 € 30/01/2019 15/04/2020 Intigriti/Deloitte
Digital Signature Services (DSS) 25.000,00 € 30/01/2019 15/10/2019 Intigriti/Deloitte
Drupal 89.000,00 € 30/01/2019 15/10/2020 Intigriti/Deloitte
GNU C Library (glibc) 45.000,00 € 30/01/2019 15/12/2019 Intigriti/Deloitte
PHP Symfony 39.000,00 € 30/01/2019 15/10/2019 Intigriti/Deloitte
Apache Tomcat 39.000,00 € 30/01/2019 15/10/2019 Intigriti/Deloitte
WSO2 58.000,00 € 30/01/2019 15/04/2020 Intigriti/Deloitte
midPoint 58.000,00 € 01/03/2019 15/08/2019 HackerOne

We will update this post as more, detailled information becomes available.

To the extent possible under law, the creator has waived all copyright and related or neighboring rights to this work.

Terms of Use | Copyright © 2002 - 2017 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement