Remember how I raised €1 million to demonstrate security and freedom aren’t opposites? Well here’s what happened next and how we are going to move forward with this.

In 2014, two major security vulnerabilities, Heartbleed and Shellshock, were discovered. Both concerned Free Software projects that are widely used throughout the Internet, on computers, tablets, and smartphones alike. My colleague Max Andersson from the Swedish Greens and I proposed a so-called “pilot project”, the Free and Open Source Software Audit (FOSSA).

The FOSSA project and outcomes in short

fossa-keepassI think the EU-FOSSA project is a great idea. For KeePass, the project went well and has resulted in improvements. I hope that the EU-FOSSA project will be continued.– Dominik Reichl, KeePass

Extending the project

As the pilot project is coming to its end in mid-November, we submitted a proposal for its continuation. In Strasbourg today, the European Parliament voted in favour of the EU’s 2017 budget and with it, for the continuation of FOSSA as a preparatory action. Parliament and Council now have three weeks of time to reach an agreement on the 2017 budget. Then finally, the next phase of FOSSA can start.

fossa-apacheMore and more software underpins society. Keeping this (almost exclusively open source) infrastructure safe is a never-ending process. The FOSSA pilot highlights again the subtle trade-offs between security and complexity – sometimes it is hard to make sure that audits, bug-bounties and other one-off contributions have a net-positive effect. Key lessons learned from the pilot are that it is vital to analyse each (potential) issue in depth. Furthermore, it shows that there is great value (and need!) in building both capacity and capability in society to maintain key open source infrastructure code while also training the next cadre of developers. We need support for these communities in the long term, and that also means devoting significant resources to this.– Dirk-Willem van Gulik, member of the Apache Software Foundation

 

In the preparatory action phase of the FOSSA project, we want to bring the EU institutions and the Open Source community closer together. The pilot project has been an important step in this direction, but there are many things that we can improve. Among other ideas, the preparatory action will include a bug bounty approach which will allow you to participate in the discovery of potential problems and continue making Free Software even more stable and reliable.

With the Free Software audit, we will bring the EU and the Open Source community closer together.
Tweet this!

To the extent possible under law, the creator has waived all copyright and related or neighboring rights to this work.

My name is Julia, I'm the Pirate in the European Parliament.

I'm fighting to make copyright in the EU unified, progressive and fit for the future. Will you join me?

3 comments

  1. 1
    Landercy SP

    Good to hear about EU-FOSSA extension and the willingness of European Institutions to progress on this topic.

    • Yes, it seems to be a sign that their are leaning a little bit towards more freedom (at least, _not leaning_ more towards proprietary systems and companies). We (the people of the planet who will benefit from more freedom, even if as in an strong example to be followed to other institutions) must congratulate MEP Julia Reda and her group for achieving this second milestone.

  2. 2

    The bounty approach is a great idea, quite some companies are doing it. For a company, setting a high bounty might also demonstrate the trust of the firm in the security of their product, but more so it creates a counter offer to anyone who might exploit a bug in other ways.

    For open source software this is also true. Its not hard to see the cost of (cyber-) crime to society, and that an investment in open source can help to decrease harm.

    But the real chance for a EU sponsored large bounty program might be certification and trust, enabled by a dynamic and open approach to bounty setting. If I want to use an open source software, knowing that a substantial bounty exists would surely foster confidence in OSS. Maybe think about a reverse dutch auction for setting the bounty…

What do you think?