EU launches Bug Bounty program for 14 free open-source products

EU launches Bug Bounty program for 14 free open-source products

The European Union (EU) will be offering bug bounty rewards for the 14 open-source products that it uses. The EU’s Member of Parliament Julia Reda announced that the European Commission will offer bounties worth of €851,000 under its Free and Open Source Software Audit (FOSSA).

Bug bounty program for 14 of its open source projects will commence from January 2019 while the last one will start from March 1. These programs are sponsored as part of the 3rd edition of the FOSSA project, which was approved by the EU authorities in 2015 after severe vulnerabilities were identified in the OpenSSL library in 2014.

Bug Bounty: Earn $40,000 for hacking Facebook, Instagram or WhatsApp

The programs included in the bug bounty program include the 7-zip, Apache Tomcat, Apache Kafka, Filezilla, Drupal, Digital Signature Services (DSS), the GNU C Library (glibc), FLUX TL, KeePass, PuTTY, the Symfony PHP framework, WSO2, Notepad++ and VLC Media Player.

In the announcement, Reda stressed the significance of free and open-source software and stated that:

“The issue made lots of people realize how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure. Like many other organizations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things.”

In the first edition of FOSSA that a public survey was held between 2015 and 2016 while this edition had an approximate budget of €1m and it was decided that FOSSA will sponsor security audit of KeePass and Apache HTTP web server. The second edition of FOSSA had a budget of €2m and its bug bounty program covered the VLC Media Player app.

From January onwards, security researchers and security firms can start looking for vulnerabilities in the open-source projects and earn a monetary reward for reporting a flaw. Security vulnerabilities for Apache Kafka, Notepad++, PuTTY, Filezilla, and VLC Media Player will be submitted from January 7, 2019, through the HackerOne bug bounty and vulnerability coordination platform.

From March 1, 2019, vulnerabilities for Midpoint identity management governance platform will be reported through HackerOne. Security audit for the remaining nine products will be coordinated through a Brussels-based crowdsourced security platform Integrity. PuTTY will offer the highest reward of €90,000 and security bugs in Drupal will be the second highest grosser with €89,000 reward amount.

Microsoft bug bounty: $250k for reporting Meltdown & Spectre type flaws

In her blog post, Reda further explained that a series of Hackathons are also planned by the EU:

“We also planned a series of Hackathons that will allow software developers from within the EU institutions, and developers from Free Software projects, to work more closely together and to collaborate directly on their software.”

In the future, states Reda, FOSSA will be focusing on improving Drupal and developers will be motivated for building secure products.

Filezilla 58.000,00 € 07/01/2019 15/08/2019 HackerOne
Apache Kafka 58.000,00 € 07/01/2019 15/08/2019 HackerOne
Notepad++ 71.000,00 € 07/01/2019 15/08/2019 HackerOne
PuTTY 90.000,00 € 07/01/2019 15/12/2019 HackerOne
VLC Media Player 58.000,00 € 07/01/2019 15/08/2019 HackerOne
FLUX TL 34.000,00 € 15/01/2019 15/10/2019 Intigriti/Deloitte
KeePass 71.000,00 € 15/01/2019 31/07/2019 Intigriti/Deloitte
7-zip 58.000,00 € 30/01/2019 15/04/2020 Intigriti/Deloitte
Digital Signature Services 25.000,00 € 30/01/2019 15/10/2019 Intigriti/Deloitte
Drupal 89.000,00 € 30/01/2019 15/10/2020 Intigriti/Deloitte
GNU C Library (glibc) 45.000,00 € 30/01/2019 15/12/2019 Intigriti/Deloitte
PHP Symfony 39.000,00 € 30/01/2019 15/10/2019 Intigriti/Deloitte
Apache Tomcat 39.000,00 € 30/01/2019 15/10/2019 Intigriti/Deloitte
WSO2 58.000,00 € 30/01/2019 15/04/2020 Intigriti/Deloitte
midPoint 58.000,00 € 01/03/2019 15/08/2019 HackerOne
Related Posts