Connect with us

Hi, what are you looking for?


Application Security

EU to Run Bug Bounty Programs for 14 Free Software Projects

The European Union is offering a total of more than €850,000 – nearly $1 million – for vulnerabilities found in 14 widely used free and open source software projects.

The European Union is offering a total of more than €850,000 – nearly $1 million – for vulnerabilities found in 14 widely used free and open source software projects.

The announcement was made last week by Julia Reda, who represents the German Pirate Party in the European Parliament. Reda and Max Andersson, a member of Sweden’s Green Party in the European Parliament, are the creators of the Free and Open Source Software Audit (FOSSA) project.

FOSSA, run by the European Commission, was launched in 2014 in response to the OpenSSL vulnerability known as Heartbleed. Its goal is to help improve the overall security of the Internet through bug bounty programs, audits, hackathons and other initiatives.

Starting this month, as part of FOSSA, the European Commission will launch 14 bug bounty programs for free software projects, including Filezilla, Apache Kafka, Apache Tomcat, Notepad++, PuTTY, VLC, FLUX TL, KeePass, 7-Zip, Digital Signature Services (DSS), Drupal, glibc, PHP Symfony, WSO2, and midPoint.

Rewards range between €25,000 ($28,000) and €90,000 ($103,000). Some of the programs will run until the summer of 2019, while others will accept submissions until the end of the year and even towards the end of 2020.

The highest rewards are being offered for PuTTY and Drupal. The PuTTY bug bounty will run until December 15, 2019, and the one for Drupal, which is the longest, has an end date of October 15, 2020.

Researchers who want to take part in these programs will be invited to submit their findings via the HackerOne and Deloitte’s Intigriti crowdsourced security platforms.

EU launches bug bounty programs for open source projects

The first phase of FOSSA ran in 2015-2016 and it involved creating an inventory of the free software used by the European Parliament, an analysis of how developers handle security, and security audits of the Apache web server and the KeePass password manager.

Advertisement. Scroll to continue reading.

The second phase of FOSSA – the project was renewed in 2017 for another 3 years – involves bug bounty programs, with a test targeting VLC conducted last year.

Josh Bressers, who leads product security at Elastic, noted on his Open Source Security blog that bug bounties are a step in the right direction, but more needs to be done.

“If nothing changes and bug bounties are the only way to spend money on open source, this will fizzle out as there isn’t going to be a massive return on investment. The projects are already overworked, they don’t need a bunch of new bugs to fix. We need a ‘next step’ that will give the projects resources. Resources aren’t always money, sometimes it’s help, sometimes it’s gear, sometimes it’s pizza. An organization like the EU has money, they need help turning that into something useful to an open source project,” Bressers said.

“I don’t know exactly what the next few steps will look like, but I do know the final step is going to be some framework that lets different groups fund open source projects. Some will be governments, some will be companies, some might even be random people who want to give a project a few bucks,” he added.

Related: Singapore Government Announces Second Bug Bounty Program

Related: European Parliament Votes to Ban Kaspersky Products

Related: OpenSSL, OpenSSH, NTP Get Funding From Core Infrastructure Initiative

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights