European Comission Flikr

The European Commission has provided funding for bug bounties in 14 open source projects it relies on. The bounties are designed to find gaps in its security after a year of successful attacks across the world.

The idea has roots in the Heartbleed vulnerability, whose discovery in OpenSSL caused a mad scramble and widespread concern. This led to the proposal of the Open Source Software Audit (FOSSA) by Julia Reda.

The bounties include popular applications like Filezilla, Notepad++, PuTTy, VLC Media Player, KeePass, and 7-zip. They were chosen by a historical look at application usage in the EC and a public survey by Reda.

Of course, while the discovery of the bugs will aid the European Commission, they’ll play a wider role in protecting the public as a whole. The bounties are open to all on HackerOne and Intigriti, meaning anyone holding on to relevant exploits has a financial incentive to divulge them.

Bounty Details

Naturally, the amount received depends on the severity of the bug and the software’s importance. Finding a bug in Drupal, a CMS framework, could net you €89,000. Meanwhile, PuTTy is as high as €90,000, and KeePass €71,000. Here’s the full list:

Filezilla 58.000,00 € 07/01/2019 15/08/2019 HackerOne
Apache Kafka 58.000,00 € 07/01/2019 15/08/2019 HackerOne
Notepad++ 71.000,00 € 07/01/2019 15/08/2019 HackerOne
PuTTY 90.000,00 € 07/01/2019 15/12/2019 HackerOne
VLC Media Player 58.000,00 € 07/01/2019 15/08/2019 HackerOne
FLUX TL 34.000,00 € 15/01/2019 15/10/2019 Intigriti/Deloitte
KeePass 71.000,00 € 15/01/2019 31/07/2019 Intigriti/Deloitte
7-zip 58.000,00 € 30/01/2019 15/04/2020 Intigriti/Deloitte
Digital Signature Services (DSS) 25.000,00 € 30/01/2019 15/10/2019 Intigriti/Deloitte
Drupal 89.000,00 € 30/01/2019 15/10/2020 Intigriti/Deloitte
GNU C Library (glibc) 45.000,00 € 30/01/2019 15/12/2019 Intigriti/Deloitte
PHP Symfony 39.000,00 € 30/01/2019 15/10/2019 Intigriti/Deloitte
Apache Tomcat 39.000,00 € 30/01/2019 15/10/2019 Intigriti/Deloitte
WSO2 58.000,00 € 30/01/2019 15/04/2020 Intigriti/Deloitte
midPoint 58.000,00 € 01/03/2019 15/08/2019 HackerOne

As you can see, the amount of time bug hunters have to find issues varies wildly. All but midPoint will launch in January, but some last for around six months, while others will continue way into 2020.

However, while the bounties are clearly a positive step, some argue that the EU should be spending its money in other places. Open source maintainers are historically underfunded and overworked, meaning that even if bugs are identified, it could be difficult for them to fix them in a timely manner.