Cyber Security

EU offers bug bounties on popular open source software

The program with a prize pool of almost US$1 million aims to leverage the ‘power of the crowd’ in order to prevent another Heartbleed

The European Union (EU) is rolling out a bug bounty scheme on some of the most popular free and open source software around in a bid to ultimately make the internet a safer place.

A total of €851,000 (not too far from US$1 million) is up for grabs as rewards for identifying security vulnerabilities in 15 widely used software projects (a full breakdown is shown below). A portion of the cash-for-bugs scheme is kicking off today, while nearly all others are scheduled to begin later this month.

The program was announced by Julia Reda, a member of the European Parliament, who – together with fellow EU parliamentarian Max Andersson – has spearheaded the Free and Open Source Software Audit (FOSSA) project since 2014.

Reda and Andersson’s initiative came in response to the discovery of Heartbleed, a vulnerability in the cryptographic software library OpenSSL that sent shockwaves throughout the IT community in 2014.

“The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure. Like many other organisations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things,” writes Reda.

Software project Bug bounty (EURO) Start date (DD/MM/YYYY) End date (DD/MM/YYYY) Bug bounty platform
Filezilla 58,000 7/1/2019 15/08/2019 HackerOne
Apache Kafka 58,000 7/1/2019 15/08/2019 HackerOne
Notepad++ 71,000 7/1/2019 15/08/2019 HackerOne
PuTTY 90,000 7/1/2019 15/12/2019 HackerOne
VLC Media Player
58,000 7/1/2019 15/08/2019 HackerOne
FLUX TL 34,000 15/01/2019 15/10/2019 Intigriti/Deloitte
KeePass 71,000 15/01/2019 31/07/2019 Intigriti/Deloitte
7-zip 58,000 30/01/2019 15/04/2020 Intigriti/Deloitte
Digital Signature Services (DSS) 25,000 30/01/2019 15/10/2019 Intigriti/Deloitte
Drupal 89,000 30/01/2019 15/10/2020 Intigriti/Deloitte
GNU C Library (glibc) 45,000 30/01/2019 15/12/2019 Intigriti/Deloitte
PHP Symfony 39,000 30/01/2019 15/10/2019 Intigriti/Deloitte
Apache Tomcat 39,000 30/01/2019 15/10/2019 Intigriti/Deloitte
WSO2 58,000 30/01/2019 15/04/2020 Intigriti/Deloitte
midPoint 58,000 1/3/2019 15/08/2019 HackerOne

The EU’s bug bounty scheme at a glance (source:

The bounties will be determined by “the severity of the issue uncovered and the relative importance of the software”, said Reda. The scheme will be open for most of this year and, in some cases, even until way into 2020, leaving ample time for poring over the code and routing out potential flaws. Unlike many other bug bounty programs that are invite-only, this initiative is open to everybody.

The tools that are set to be accorded quite some scrutiny were determined by a screening of open software in use by the European Commission, in conjunction with an analysis of how the respective developers come to grips with security and with a public vote – which were all part of FOSSA’s pilot run in 2015 and 2016.

The screening found that open source software accounted for 18 percent of software items and for 16 percent of software instances in use by the EU’s executive arm.

Meanwhile, the public vote selected the KeePass password manager and the Apache web server for security audits. The subsequent code reviews, which were conducted by engineers contracted by the Commission, found no critical or high-risk security holes in either software: KeePass was found to contain five medium- and three low-risk flaws whereas in Apache two low-risk vulnerabilities were spotted.

As part of FOSSA’s second stage in 2017, the Commission announced a proof-of-concept bug bounty on VLC Media Player, a piece of software installed on every workstation at the Commission.

Articles You May Like

Hackers Win $105,000 for Reporting Critical Security Flaws in Sonos One Speakers
All the Nvidia news announced by Jensen Huang at Computex
Ransomware Gangs Adopting Business-like Practices to Boost Profits
API security in the spotlight – Week in security with Tony Anscombe
No one has done AR or VR well. Can Apple?

Leave a Reply

Your email address will not be published. Required fields are marked *