The European Union is offering a total of more than €850,000 – nearly $1 million – for vulnerabilities found in 14 widely used free and open source software projects.
The announcement was made last week by Julia Reda, who represents the German Pirate Party in the European Parliament. Reda and Max Andersson, a member of Sweden’s Green Party in the European Parliament, are the creators of the Free and Open Source Software Audit (FOSSA) project.
FOSSA, run by the European Commission, was launched in 2014 in response to the OpenSSL vulnerability known as Heartbleed. Its goal is to help improve the overall security of the Internet through bug bounty programs, audits, hackathons and other initiatives.
Starting this month, as part of FOSSA, the European Commission will launch 14 bug bounty programs for free software projects, including Filezilla, Apache Kafka, Apache Tomcat, Notepad++, PuTTY, VLC, FLUX TL, KeePass, 7-Zip, Digital Signature Services (DSS), Drupal, glibc, PHP Symfony, WSO2, and midPoint.
Rewards range between €25,000 ($28,000) and €90,000 ($103,000). Some of the programs will run until the summer of 2019, while others will accept submissions until the end of the year and even towards the end of 2020.
The highest rewards are being offered for PuTTY and Drupal. The PuTTY bug bounty will run until December 15, 2019, and the one for Drupal, which is the longest, has an end date of October 15, 2020.
Researchers who want to take part in these programs will be invited to submit their findings via the HackerOne and Deloitte’s Intigriti crowdsourced security platforms.
The first phase of FOSSA ran in 2015-2016 and it involved creating an inventory of the free software used by the European Parliament, an analysis of how developers handle security, and security audits of the Apache web server and the KeePass password manager.
The second phase of FOSSA – the project was renewed in 2017 for another 3 years – involves bug bounty programs, with a test targeting VLC conducted last year.
Josh Bressers, who leads product security at Elastic, noted on his Open Source Security blog that bug bounties are a step in the right direction, but more needs to be done.
“If nothing changes and bug bounties are the only way to spend money on open source, this will fizzle out as there isn’t going to be a massive return on investment. The projects are already overworked, they don’t need a bunch of new bugs to fix. We need a ‘next step’ that will give the projects resources. Resources aren’t always money, sometimes it’s help, sometimes it’s gear, sometimes it’s pizza. An organization like the EU has money, they need help turning that into something useful to an open source project,” Bressers said.
“I don’t know exactly what the next few steps will look like, but I do know the final step is going to be some framework that lets different groups fund open source projects. Some will be governments, some will be companies, some might even be random people who want to give a project a few bucks,” he added.