ISSCloud - Information Systems Solutions


EU approves bug bounty programs for 15 open source projects

EU approves bug bounty programs for 15 open source projects

The European Union will be funding bug bounty programs for 15 open source projects starting January 2019, announced EU Parliament Member Julia Reda.

The initiative is part of the third edition of the Free and Open Source Software Audit (FOSSA) project, and targeting some major Open Source projects in the market. The FOSSA project came to existence in 2015, after security researchers discovered severe vulnerabilities in the OpenSSL library, also an open source project, used by millions of websites to support the HTTPS protocol.

The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure“, mentioned Reda in a public post.

Reda also noted the importance of Free and Open Source Software (FOSS) to the global internet community.

Like many other organisations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things.

From January on, security companies and individuals can hunt for vulnerabilities in these open source projects, report them to the bug bounty programs linked above and hope for a monetary reward if the bug report is approved.

The FOSSA project had its first edition in 2015 with an initial budget of 1 million euros. The EU inventorized the most popular open source projects used by EU offices and officials, and they held a public survey to decide what program that should sponsor a security audit for. Two projects were selected, the Apache HTTP web server and the KeePass password manager.

The second edition of FOSSA ran throughout 2017 as a bug bounty program on HackerOne for the VLC Media Player app. This program received €2 million in funding, but the bug bounty program’s budget was capped at €60,000.

Now, FOSSA returns for its third edition with budgets for 15 bug bounty programs, with the highest budgets being reserved for PuTTY and the Drupal CMS. You can see the bug bounty programs and budgets in the table below.

Software ProjectBug Bounty Amount (Euro)Start DateEnd DateBug Bounty Platform
Filezilla€ 58 000,0007/01/201915/08/2019HackerOne
Apache Kafka€ 58 000,0007/01/201915/08/2019HackerOne
VLC Media Player€ 58 000,0007/01/201915/08/2019HackerOne
Notepad++€ 71 000,0007/01/201915/08/2019HackerOne
PuTTY€ 90 000,0007/01/201915/12/2019HackerOne
KeePass€ 71 000,0015/01/201931/07/2019Integrity/Deloitte
FLUX TL€ 38 000,0015/01/201915/10/2019Integrity/Deloitte
Apache Tomcat€ 39 000,0030/01/201915/10/2019Integrity/Deloitte
Digital Signature Services (DSS)€ 25 000,0030/01/201915/10/2019Integrity/Deloitte
PHP Sympony€ 39 000,0030/01/201915/10/2019Integrity/Deloitte
GNU C Library (glibc)€ 45 000,0030/01/201915/12/2019Integrity/Deloitte
7-zip€ 58 000,0030/01/201915/04/2020Integrity/Deloitte
WSO2€ 58 000,0030/01/201915/04/2020Integrity/Deloitte
Drupal€ 89 000,0030/01/201915/10/2020Integrity/Deloitte
midPoint€ 58 000,0001/03/201915/08/2019HackerOne
Picture of Ricardo Mendes

Ricardo Mendes

Ricardo is a Senior Systems Administrator and Consultant at ISSCloud, after +10 years working in Private Telecom. He enjoys writing about Technology, Security & Privacy.

Leave a Reply

Your email address will not be published. Required fields are marked *