Update (16 January 2019): More bug bounties become live, have a look at the full list below!
Update (10 January 2019): As some of you have already pointed out, the bounties haven’t been made public yet. I have been informed by the European Commission that the “start dates” they sent designate the start of the contract with the involved bug bounty platform, rather than the actual publication of the bounty. The publication date is found in collaboration with the software projects involved. Once they are ready, the bounties will be published. I will keep this blog post updated with more info as I receive it.
It’s been a while since I last wrote about the Free and Open Source Software Audit project, FOSSA, so let me start with a quick recap that you can safely skip if you’re already familiar with the project.
What happened so far
In 2014, security vulnerabilities were found in important Free Software projects. One of the issues was found in the Open Source encryption library OpenSSL. This type of software is called a library because it provides standard functions to a huge number of other softwares. And they subsequently suffered from the issue.
Since OpenSSL is also very important for the encryption of Internet traffic, it is also highly relevant to the protection of your personal communication, or your payment details when you’re shopping online.
The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure. Like many other organisations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things. But the Internet is not only crucial to our economy and our administration. It is the infrastructure that runs our every day lives. It is the means we use to retrieve information and to be politically active.
That is why my colleague Max Andersson and I started the Free and Open Source Software Audit project: FOSSA.
FOSSA
In 2015-2016, the first iteration of the FOSSA project, the European Commission, that runs the project for us, has created an inventory of what Free Software it relies on. It also analyzed how the software developers handle security in their projects. And finally, two projects (web server Apache and password manager KeePass) received a security audit.
FOSSA 2
In 2017, the project was extended for three more years. This time, we decided to go one step further and added the carrying out of Bug Bounties on important Free Software projects to the list of measures we wanted to put in place to increase the security of Free and Open Source Software.
We also planned a series of Hackathons that will allow software developers from within the EU institutions, and developers from Free Software projects, to work more closely together and to collaborate directly on their software.
FOSSA Bug Bounties
In January, the EU is launching bug bounties on Free Software projects to increase the security of the Internet!
Tweet this!
In January the European Commission is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on. A bug bounty is a prize for people who actively search for security issues. The amount of the bounty depends on the severity of the issue uncovered and the relative importance of the software. The software projects chosen were previously identified as candidates in the inventories and a public survey.
You can contribute to the projects below by analysing the software, and by submitting any bugs or vulnerabilities you find to the involved bug bounty platforms. Here is the list of Software projects and the bug bounties:
| Software Project | Bug Bounty Amount (Euro) | Start date (of contract) | End Date | Bug Bounty Platform |
|---|---|---|---|---|
| LIVE! Filezilla | 58 000,00 € | 07/01/2019 | 15/08/2019 | HackerOne |
| LIVE! Apache Kafka | 58 000,00 € | 07/01/2019 | 15/08/2019 | HackerOne |
| LIVE! Notepad++ | 71 000,00 € | 07/01/2019 | 15/08/2019 | HackerOne |
| LIVE! PuTTY | 90 000,00 € | 07/01/2019 | 15/12/2019 | HackerOne |
| LIVE! VLC Media Player | 58 000,00 € | 07/01/2019 | 15/08/2019 | HackerOne |
| LIVE! FLUX TL (private) | 34 000,00 € | 15/01/2019 | 15/10/2019 | Intigriti/Deloitte |
| LIVE! KeePass | 71 000,00 € | 15/01/2019 | 31/07/2019 | Intigriti/Deloitte |
| LIVE! 7-zip | 58 000,00 € | 30/01/2019 | 15/04/2020 | Intigriti/Deloitte |
| LIVE! Digital Signature Services (DSS) (private) | 25 000,00 € | 30/01/2019 | 15/10/2019 | Intigriti/Deloitte |
| LIVE! Drupal | 89 000,00 € | 30/01/2019 | 15/10/2020 | Intigriti/Deloitte |
| LIVE! GNU C Library (glibc) | 45 000,00 € | 30/01/2019 | 15/12/2019 | Intigriti/Deloitte |
| LIVE! PHP Symfony | 39 000,00 € | 30/01/2019 | 15/10/2019 | Intigriti/Deloitte |
| LIVE! Apache Tomcat | 39 000,00 € | 30/01/2019 | 15/10/2019 | Intigriti/Deloitte |
| LIVE! WSO2 | 58 000,00 € | 30/01/2019 | 15/04/2020 | Intigriti/Deloitte |
| LIVE! midPoint (private) | 58 000,00 € | 01/03/2019 | 15/08/2019 | HackerOne |
We will update this post as more, detailled information becomes available.
To the extent possible under law, the creator has waived all copyright and related or neighboring rights to this work.
Ok, fine, some will find biugs, and get rewarded for that. Great !
But let’s talik about those who will get those bugs fixed ? Are they going to be retributed for that ?
I would like to recall the OpenSSL HeartBleed failure : “Think about it, OpenSSL only has two [fulltime] people to write, maintain, test, and review 500,000 lines of business critical code.” (https://en.wikipedia.org/wiki/Heartbleed#Root_causes,_possible_lessons,_and_reactions).
Two individuals. And don’t get it wrong : *MOST* of the OSS softwares are developped by very tiny teams, mostly on their own time, with no incentive to do it but the urge to scratch a itch, and the pleasure to work on something fun. And I’m not talking about unknown projects on a dark corner of The Internet, I’m talking about mainstream projects, used pretty much everywhere.
So, please, keep going with those bug bounties, but in the main time, don’t thing this will server any purpose than misplaced delusion of being useful. This is vain, really.
The way bigger problem is to fond those projects. To identify *real* contributors, and get them receive more than just a pat in the back and a public blame for the bug they left in the code they have written. To get them rewarded. That would be order of magnitude more efficient…
Isn’t putty obsolete since Windows integrates a SSH client natively ?
https://www.bleepingcomputer.com/news/microsoft/windows-10-openssh-client-installed-by-default-in-april-2018-update/
https://www.reddit.com/r/ProgrammerHumor/comments/4wbs5g/putty_just_went_obsolete_for_most/
Nice initiative anyway!
Bruno
You are kidding, right?
If not, check twice the subreddit theme you linked
This is fantastic news! I think this money is well spend and has a direct imapct on security! Good job!
Best regards
Alexander
This is good news… But are only the finders of the bug rewarded? Or are the developers of the patch also sponsored to fix the bug?
This is fantastic news! I would like to thank you and congratulate you!
I am interested in vulnerabilities in public systems of institutions in Bulgaria, especially judicial one.
I want to take part in analysing and to apply for bug bounty.
Will You, please, inform me if such a project will be launched in Bulgaria or EU.
Thanks
I wish to see VyOS on list :)
why not libre office, gnu c avesome!
I need busy box, and firefox, ssh, and kernel. yes kernel
Hi Julia,
This is a great initiative.
I would like to know the formalities to report bugs.
Thanks
Good ideal für Open Source.
This is extremely exciting as the major users should really show more responsibility for the projects they use. However, I find it weird that Notepad++ is on that list. It’s open source, yes, but it’s only available for Windows. There exists some clones, but that’s different code. Is this really good use of that much money? For something as trivial as Notepad++ there’s a lot of crossplatform open source alternatives. Should not a large organisation seek to use apps which are available to everyone whether they use Windows/Mac/Linux instead of making it’s users bound to a certain platform?
Please have a look at alternativeto.net for some excellent crossplatform open source alternatives:
https://alternativeto.net/software/notepad-plus-plus/?license=opensource
Thanks for pushing the use and improvement of open source!
Interesting, and I applaud the project.
Out of curiosity (because I did not see anything in the list) – what is the EC using as a VPN client? Something commercial, and nothing open source?
Thank you so much for this! The whole world benefits from this, not only the EU.
We need more pirates in parliaments around the world!
https://juliareda.eu/2018/12/eu-fossa-bug-bounties/#bugbounty
To find the open source bug, check out the Linux version or Windows?
iam registered at Intigriti/Deloitte and can’t see any of BUG BOUNTY by project
at HackerOne the same
where you take this info about bug bounty from EU ?
Excellent. This will likely be what I spend the next few months doing.
Great initiative! Happy to see the EU invests to security of OSS. But today is Jan 8th, and I don’t see those programs on HackerOne which were announced to start on Jan 7th. Hope they’ll start soon :)
Dear Artem, thanks, and we are indeed also waiting impatiently but currently have no further information. We’ll post an update as soon as we have more info. -Seb
Instead of in addition to KeePass, maybe next time also try to include KeePassXC, which is cross-platform compatible and offers more features. https://keepassxc.org/