The European Commission has provided funding for bug bounties in 14 open source projects it relies on. The bounties are designed to find gaps in its security after a year of successful attacks across the world.
The idea has roots in the Heartbleed vulnerability, whose discovery in OpenSSL caused a mad scramble and widespread concern. This led to the proposal of the Open Source Software Audit (FOSSA) by Julia Reda.
The bounties include popular applications like Filezilla, Notepad++, PuTTy, VLC Media Player, KeePass, and 7-zip. They were chosen by a historical look at application usage in the EC and a public survey by Reda.
Of course, while the discovery of the bugs will aid the European Commission, they’ll play a wider role in protecting the public as a whole. The bounties are open to all on HackerOne and Intigriti, meaning anyone holding on to relevant exploits has a financial incentive to divulge them.
Bounty Details
Naturally, the amount received depends on the severity of the bug and the software’s importance. Finding a bug in Drupal, a CMS framework, could net you €89,000. Meanwhile, PuTTy is as high as €90,000, and KeePass €71,000. Here’s the full list:
SOFTWARE PROJECT | BUG BOUNTY AMOUNT (EURO) | START DATE | END DATE | BUG BOUNTY PLATFORM |
---|---|---|---|---|
Filezilla | 58.000,00 € | 07/01/2019 | 15/08/2019 | HackerOne |
Apache Kafka | 58.000,00 € | 07/01/2019 | 15/08/2019 | HackerOne |
Notepad++ | 71.000,00 € | 07/01/2019 | 15/08/2019 | HackerOne |
PuTTY | 90.000,00 € | 07/01/2019 | 15/12/2019 | HackerOne |
VLC Media Player | 58.000,00 € | 07/01/2019 | 15/08/2019 | HackerOne |
FLUX TL | 34.000,00 € | 15/01/2019 | 15/10/2019 | Intigriti/Deloitte |
KeePass | 71.000,00 € | 15/01/2019 | 31/07/2019 | Intigriti/Deloitte |
7-zip | 58.000,00 € | 30/01/2019 | 15/04/2020 | Intigriti/Deloitte |
Digital Signature Services (DSS) | 25.000,00 € | 30/01/2019 | 15/10/2019 | Intigriti/Deloitte |
Drupal | 89.000,00 € | 30/01/2019 | 15/10/2020 | Intigriti/Deloitte |
GNU C Library (glibc) | 45.000,00 € | 30/01/2019 | 15/12/2019 | Intigriti/Deloitte |
PHP Symfony | 39.000,00 € | 30/01/2019 | 15/10/2019 | Intigriti/Deloitte |
Apache Tomcat | 39.000,00 € | 30/01/2019 | 15/10/2019 | Intigriti/Deloitte |
WSO2 | 58.000,00 € | 30/01/2019 | 15/04/2020 | Intigriti/Deloitte |
midPoint | 58.000,00 € | 01/03/2019 | 15/08/2019 | HackerOne |
As you can see, the amount of time bug hunters have to find issues varies wildly. All but midPoint will launch in January, but some last for around six months, while others will continue way into 2020.
However, while the bounties are clearly a positive step, some argue that the EU should be spending its money in other places. Open source maintainers are historically underfunded and overworked, meaning that even if bugs are identified, it could be difficult for them to fix them in a timely manner.