EU to offer nearly $1m in bug bounties for open-source software

The internet runs on open-source, and it’s often hardworking volunteer developers who spend long hours keeping the projects alive. Unfortunately, they don’t always have the time or resources they need to hunt down the bugs that inevitably spring up in these large, complex code bases.

The European Commission (EC) just made a move to improve the situation: it’s ponying up serious money for bug hunters who track down vulnerabilities in some of the most popular free and open source software around.

The full list of 15 bounty programs includes the file archiver 7-zip, the Java servlet container Apache Tomcat, the content management framework Drupal, the cross-platform FTP application Filezilla, the media player VLC, the password manager KeePass, the text/source code editor Notepad++, plus other popular tools. Rewards start at €25,000 and go on up to €90,000 ($28,600 to $103,000), for a total offered amount of €851,000 ($973,000).

Fourteen of the programs will launch this month, while the 15th will start in March.

As with other bug bounties, the amount paid by the EC will depend on the severity of the discovered vulnerabilities and how important the given software is.

EU Member of Parliament Julia Reda, member of the Pirate Party Germany and co-founder of the Free and Open Source Software Audit (FOSSA) project, announced the bounties a week ago. She said that the software programs were chosen after being identified in a public survey and from inventories that FOSSA conducted in 2015-2016 to see what free software everybody is relying on.

OpenSSL bugs like Heartbleed were a wake-up call

FOSSA was itself formed in 2015, following a sobering year of vulnerability discoveries in open source.

In 2014 we saw multiple vulnerabilities in the widely deployed cryptographic library known as OpenSSL. The first vulnerability was the data-leaking buffer overflow known as Heartbleed, followed by six more vulnerabilities that could have led to denial of service, information disclosure and remote code execution.

OpenSSL provides standard functions to “a huge number” of other software, Reda notes, and those programs subsequently suffered because of the vulnerabilities. The library also plays an important role in encrypting internet traffic, making it crucial for protecting data such as people’s personal communications or their payment details when they shop online.

The silver lining of the OpenSSL bugs is that they were a wake-up call, Reda writes:

The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure. Like many other organisations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things.

In 2015, the year after the OpenSSL bugs were discovered, EU authorities approved FOSSA.

In 2017, after FOSSA’s inventories had been carried out, the EC extended the project for another three years. At that point, the project decided to “go one step further,” Reda said, by instituting bug bounties on important free and open software projects and planning a series of hackathons, with the goal of getting software developers from EU institutions to work alongside free software project developers so they could collaborate directly on their software.

Ready, set, BUG HUNT!

Readers, if you want to participate, you can find links to the bug bounty programs on Reda’s blog post. Each of the bug bounties will go live on the ethical hacking platforms Intigriti and HackerOne. Best of luck!