EU to fund bug bounty programs for 14 open source projects starting January 2019

[Karlston]

The European Union will foot the bill for bug bounty programs for 14 open source projects, EU Member of Parliament Julia Reda announced this week.

 

The 14 projects are, in alphabetical order, 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, midPoint, Notepad++, PuTTY, the Symfony PHP framework, VLC Media Player, and WSO2.

 

The bug bounty programs are being sponsored as part of the third edition of the Free and Open Source Software Audit (FOSSA) project.

 

EU authorities first approved FOSSA in 2015, after security researchers discovered a year earlier severe vulnerabilities in the OpenSSL library, an open source project used by many websites to support HTTPS connections.

 

"The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure," said Reda in her announcement. "Like many other organisations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things."

 

The first FOSSA edition ran between 2015 and 2016, as a pilot program, with an initial budget of €1 million. The EU inventorized the most popular open source projects used by EU offices and officials, and they held a public survey to decide what program that should sponsor a security audit for. Two projects were selected, the Apache HTTP web server and the KeePass password manager.

 

FOSSA 2 ran throughout 2017 as a bug bounty program on HackerOne for the VLC Media Player app. The program received €2 million in funding, but the bug bounty program's budget was capped at €60,000.

 

Now, FOSSA returns for its third edition with budgets for 14 bug bounty programs, with the highest budgets being reserved for PuTTY and the Drupal CMS.

Software Project	Bug Bounty Amount (Euro)	Start Date	End Date	Bug Bounty Platform
	58.000,00 €	07/01/2019	15/08/2019	HackerOne
	58.000,00 €	07/01/2019	15/08/2019	HackerOne
	71.000,00 €	07/01/2019	15/08/2019	HackerOne
	90.000,00 €	07/01/2019	15/12/2019	HackerOne
	58.000,00 €	07/01/2019	15/08/2019	HackerOne
	34.000,00 €	15/01/2019	15/10/2019	Intigriti/Deloitte
	71.000,00 €	15/01/2019	31/07/2019	Intigriti/Deloitte
	58.000,00 €	30/01/2019	15/04/2020	Intigriti/Deloitte
	25.000,00 €	30/01/2019	15/10/2019	Intigriti/Deloitte
	89.000,00 €	30/01/2019	15/10/2020	Intigriti/Deloitte
	45.000,00 €	30/01/2019	15/12/2019	Intigriti/Deloitte
	39.000,00 €	30/01/2019	15/10/2019	Intigriti/Deloitte
	39.000,00 €	30/01/2019	15/10/2019	Intigriti/Deloitte
	58.000,00 €	30/01/2019	15/04/2020	Intigriti/Deloitte
	58.000,00 €	01/03/2019	15/08/2019	HackerOne

 

Starting with January, security researchers and security companies can hunt vulnerabilities in these open source projects and report them to the bug bounty programs linked above, in the hopes of a monetary reward, if the bug report is approved and results in a patch.

 

Source: EU to fund bug bounty programs for 14 open source projects starting January 2019 (ZDNet)

 

Poster's note:  Looks like source has autoplay video at top of article.