The European Union will foot the bill for bug bounty programs for 14 open source projects, EU Member of Parliament Julia Reda announced this week.
The 14 projects are, in alphabetical order, 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, midPoint, Notepad++, PuTTY, the Symfony PHP framework, VLC Media Player, and WSO2.
The bug bounty programs are being sponsored as part of the third edition of the Free and Open Source Software Audit (FOSSA) project.
EU authorities first approved FOSSA in 2015, after security researchers discovered a year earlier severe vulnerabilities in the OpenSSL library, an open source project used by many websites to support HTTPS connections.
"The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure," said Reda in her announcement. "Like many other organisations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things."
The first FOSSA edition ran between 2015 and 2016, as a pilot program, with an initial budget of €1 million. The EU inventorized the most popular open source projects used by EU offices and officials, and they held a public survey to decide what program that should sponsor a security audit for. Two projects were selected, the Apache HTTP web server and the KeePass password manager.
FOSSA 2 ran throughout 2017 as a bug bounty program on HackerOne for the VLC Media Player app. The program received €2 million in funding, but the bug bounty program's budget was capped at €60,000.
Now, FOSSA returns for its third edition with budgets for 14 bug bounty programs, with the highest budgets being reserved for PuTTY and the Drupal CMS.
Software Project | Bug Bounty Amount (Euro) | Start Date | End Date | Bug Bounty Platform |
---|---|---|---|---|
Filezilla | 58.000,00 € | 07/01/2019 | 15/08/2019 | HackerOne |
Apache Kafka | 58.000,00 € | 07/01/2019 | 15/08/2019 | HackerOne |
Notepad++ | 71.000,00 € | 07/01/2019 | 15/08/2019 | HackerOne |
PuTTY | 90.000,00 € | 07/01/2019 | 15/12/2019 | HackerOne |
VLC Media Player | 58.000,00 € | 07/01/2019 | 15/08/2019 | HackerOne |
FLUX TL | 34.000,00 € | 15/01/2019 | 15/10/2019 | Intigriti/Deloitte |
KeePass | 71.000,00 € | 15/01/2019 | 31/07/2019 | Intigriti/Deloitte |
7-zip | 58.000,00 € | 30/01/2019 | 15/04/2020 | Intigriti/Deloitte |
Digital Signature Services (DSS) | 25.000,00 € | 30/01/2019 | 15/10/2019 | Intigriti/Deloitte |
Drupal | 89.000,00 € | 30/01/2019 | 15/10/2020 | Intigriti/Deloitte |
GNU C Library (glibc) | 45.000,00 € | 30/01/2019 | 15/12/2019 | Intigriti/Deloitte |
PHP Symfony | 39.000,00 € | 30/01/2019 | 15/10/2019 | Intigriti/Deloitte |
Apache Tomcat | 39.000,00 € | 30/01/2019 | 15/10/2019 | Intigriti/Deloitte |
WSO2 | 58.000,00 € | 30/01/2019 | 15/04/2020 | Intigriti/Deloitte |
midPoint | 58.000,00 € | 01/03/2019 | 15/08/2019 | HackerOne |
Starting with January, security researchers and security companies can hunt vulnerabilities in these open source projects and report them to the bug bounty programs linked above, in the hopes of a monetary reward, if the bug report is approved and results in a patch.