The European Union will be funding bug bounty programs for 15 open source projects starting January 2019, announced EU Parliament Member Julia Reda.
The initiative is part of the third edition of the Free and Open Source Software Audit (FOSSA) project, and targeting some major Open Source projects in the market. The FOSSA project came to existence in 2015, after security researchers discovered severe vulnerabilities in the OpenSSL library, also an open source project, used by millions of websites to support the HTTPS protocol.
“The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure“, mentioned Reda in a public post.
Reda also noted the importance of Free and Open Source Software (FOSS) to the global internet community.
“Like many other organisations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things.“
From January on, security companies and individuals can hunt for vulnerabilities in these open source projects, report them to the bug bounty programs linked above and hope for a monetary reward if the bug report is approved.
The FOSSA project had its first edition in 2015 with an initial budget of 1 million euros. The EU inventorized the most popular open source projects used by EU offices and officials, and they held a public survey to decide what program that should sponsor a security audit for. Two projects were selected, the Apache HTTP web server and the KeePass password manager.
The second edition of FOSSA ran throughout 2017 as a bug bounty program on HackerOne for the VLC Media Player app. This program received €2 million in funding, but the bug bounty program’s budget was capped at €60,000.
Now, FOSSA returns for its third edition with budgets for 15 bug bounty programs, with the highest budgets being reserved for PuTTY and the Drupal CMS. You can see the bug bounty programs and budgets in the table below.
| Software Project | Bug Bounty Amount (Euro) | Start Date | End Date | Bug Bounty Platform |
|---|---|---|---|---|
| Filezilla | € 58 000,00 | 07/01/2019 | 15/08/2019 | HackerOne |
| Apache Kafka | € 58 000,00 | 07/01/2019 | 15/08/2019 | HackerOne |
| VLC Media Player | € 58 000,00 | 07/01/2019 | 15/08/2019 | HackerOne |
| Notepad++ | € 71 000,00 | 07/01/2019 | 15/08/2019 | HackerOne |
| PuTTY | € 90 000,00 | 07/01/2019 | 15/12/2019 | HackerOne |
| KeePass | € 71 000,00 | 15/01/2019 | 31/07/2019 | Integrity/Deloitte |
| FLUX TL | € 38 000,00 | 15/01/2019 | 15/10/2019 | Integrity/Deloitte |
| Apache Tomcat | € 39 000,00 | 30/01/2019 | 15/10/2019 | Integrity/Deloitte |
| Digital Signature Services (DSS) | € 25 000,00 | 30/01/2019 | 15/10/2019 | Integrity/Deloitte |
| PHP Sympony | € 39 000,00 | 30/01/2019 | 15/10/2019 | Integrity/Deloitte |
| GNU C Library (glibc) | € 45 000,00 | 30/01/2019 | 15/12/2019 | Integrity/Deloitte |
| 7-zip | € 58 000,00 | 30/01/2019 | 15/04/2020 | Integrity/Deloitte |
| WSO2 | € 58 000,00 | 30/01/2019 | 15/04/2020 | Integrity/Deloitte |
| Drupal | € 89 000,00 | 30/01/2019 | 15/10/2020 | Integrity/Deloitte |
| midPoint | € 58 000,00 | 01/03/2019 | 15/08/2019 | HackerOne |
