Connect with us

Hi, what are you looking for?


Application Security

EU to Run Bug Bounty Programs for 14 Free Software Projects

The European Union is offering a total of more than €850,000 – nearly $1 million – for vulnerabilities found in 14 widely used free and open source software projects.

The European Union is offering a total of more than €850,000 – nearly $1 million – for vulnerabilities found in 14 widely used free and open source software projects.

The announcement was made last week by Julia Reda, who represents the German Pirate Party in the European Parliament. Reda and Max Andersson, a member of Sweden’s Green Party in the European Parliament, are the creators of the Free and Open Source Software Audit (FOSSA) project.

FOSSA, run by the European Commission, was launched in 2014 in response to the OpenSSL vulnerability known as Heartbleed. Its goal is to help improve the overall security of the Internet through bug bounty programs, audits, hackathons and other initiatives.

Starting this month, as part of FOSSA, the European Commission will launch 14 bug bounty programs for free software projects, including Filezilla, Apache Kafka, Apache Tomcat, Notepad++, PuTTY, VLC, FLUX TL, KeePass, 7-Zip, Digital Signature Services (DSS), Drupal, glibc, PHP Symfony, WSO2, and midPoint.

Rewards range between €25,000 ($28,000) and €90,000 ($103,000). Some of the programs will run until the summer of 2019, while others will accept submissions until the end of the year and even towards the end of 2020.

The highest rewards are being offered for PuTTY and Drupal. The PuTTY bug bounty will run until December 15, 2019, and the one for Drupal, which is the longest, has an end date of October 15, 2020.

Researchers who want to take part in these programs will be invited to submit their findings via the HackerOne and Deloitte’s Intigriti crowdsourced security platforms.

EU launches bug bounty programs for open source projects

The first phase of FOSSA ran in 2015-2016 and it involved creating an inventory of the free software used by the European Parliament, an analysis of how developers handle security, and security audits of the Apache web server and the KeePass password manager.

Advertisement. Scroll to continue reading.

The second phase of FOSSA – the project was renewed in 2017 for another 3 years – involves bug bounty programs, with a test targeting VLC conducted last year.

Josh Bressers, who leads product security at Elastic, noted on his Open Source Security blog that bug bounties are a step in the right direction, but more needs to be done.

“If nothing changes and bug bounties are the only way to spend money on open source, this will fizzle out as there isn’t going to be a massive return on investment. The projects are already overworked, they don’t need a bunch of new bugs to fix. We need a ‘next step’ that will give the projects resources. Resources aren’t always money, sometimes it’s help, sometimes it’s gear, sometimes it’s pizza. An organization like the EU has money, they need help turning that into something useful to an open source project,” Bressers said.

“I don’t know exactly what the next few steps will look like, but I do know the final step is going to be some framework that lets different groups fund open source projects. Some will be governments, some will be companies, some might even be random people who want to give a project a few bucks,” he added.

Related: Singapore Government Announces Second Bug Bounty Program

Related: European Parliament Votes to Ban Kaspersky Products

Related: OpenSSL, OpenSSH, NTP Get Funding From Core Infrastructure Initiative

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...