EU launches bug bounties on free and open source software

After setting up a bug bounty program for VLC Media Player in late 2017, the European Commission (EC) has announced the launch of 14 new ones that will cover other free and open source software used by European Union institutions.

open source bug bounties

The list of target software is as follows:

  • Filezilla (FTP app)
  • Apache Kafka (stream-processing software platform)
  • Notepad++ (text/source code editor)
  • PuTTY (terminal emulator, network file transfer app)
  • VLC Media Player
  • FLUX TL (the Transportation Layer of choice for a family of applications under the Integrated Fisheries Data Management Programme)
  • KeePass (password manager)
  • 7-zip (file archiver)
  • Digital Signature Services (software library for electronic signature creation and validation)
  • Drupal (content management framework)
  • GNU C Library (glibc) (the core libraries for the GNU system and GNU/Linux systems)
  • PHP Symfony (PHP web application framework and a set of reusable PHP components/libraries)
  • Apache Tomcat (implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies)
  • WSO2 (API management platform)
  • midPoint (Identity Management system).

The EC has set aside €851,000 – i.e., nearly $1 million – for the bounties. As per usual, the amount of the bounty depends on the severity of the issue uncovered and the relative importance of the software.

The FOSSA project

The programs were set up through the EU’s Free and Open Source Software Audit (FOSSA) project, which dates back to 2014 and was a direct reaction to the discovery of critical vulnerabilities in OpenSSL: Heartbleed, a set of critical MITM and code execution flaws, POODLE and several DoS bugs.

“The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure. Like many other organisations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things,” says Julia Reda, EU Member of Parliament and co-founder of the project.

“I think that the security of Free Software is in our common interest. Not only do people rely on Free Software for their daily use, they also rely on it because it is the foundation of the Internet infrastructure. Consequently, the European Institutions, governments and administration throughout Europe and beyond rely on its security. That is why the goal with the FOSSA project is to establish Free Software Security as a permanent item in the EU budget.”