EU launches Bug Bounty program for 14 free open-source products

The European Union (EU) will be offering bug bounty rewards for the 14 open-source products that it uses. The EU’s Member of Parliament Julia Reda announced that the European Commission will offer bounties worth of €851,000 under its Free and Open Source Software Audit (FOSSA).

Bug bounty program for 14 of its open source projects will commence from January 2019 while the last one will start from March 1. These programs are sponsored as part of the 3rd edition of the FOSSA project, which was approved by the EU authorities in 2015 after severe vulnerabilities were identified in the OpenSSL library in 2014.

Bug Bounty: Earn $40,000 for hacking Facebook, Instagram or WhatsApp

The programs included in the bug bounty program include the 7-zip, Apache Tomcat, Apache Kafka, Filezilla, Drupal, Digital Signature Services (DSS), the GNU C Library (glibc), FLUX TL, KeePass, PuTTY, the Symfony PHP framework, WSO2, Notepad++ and VLC Media Player.

In the announcement, Reda stressed the significance of free and open-source software and stated that:

“The issue made lots of people realize how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure. Like many other organizations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things.”

In the first edition of FOSSA that a public survey was held between 2015 and 2016 while this edition had an approximate budget of €1m and it was decided that FOSSA will sponsor security audit of KeePass and Apache HTTP web server. The second edition of FOSSA had a budget of €2m and its bug bounty program covered the VLC Media Player app.

From January onwards, security researchers and security firms can start looking for vulnerabilities in the open-source projects and earn a monetary reward for reporting a flaw. Security vulnerabilities for Apache Kafka, Notepad++, PuTTY, Filezilla, and VLC Media Player will be submitted from January 7, 2019, through the HackerOne bug bounty and vulnerability coordination platform.

From March 1, 2019, vulnerabilities for Midpoint identity management governance platform will be reported through HackerOne. Security audit for the remaining nine products will be coordinated through a Brussels-based crowdsourced security platform Integrity. PuTTY will offer the highest reward of €90,000 and security bugs in Drupal will be the second highest grosser with €89,000 reward amount.

Microsoft bug bounty: $250k for reporting Meltdown & Spectre type flaws

In her blog post, Reda further explained that a series of Hackathons are also planned by the EU:

“We also planned a series of Hackathons that will allow software developers from within the EU institutions, and developers from Free Software projects, to work more closely together and to collaborate directly on their software.”

In the future, states Reda, FOSSA will be focusing on improving Drupal and developers will be motivated for building secure products.