Last updated: April 17, 2018

Current event

On 14 April 2018, the European Commission launched the public call for tenders for bug bounty providers. Companies providing bug bounties can now apply for a contract with the Commission to run the FOSSA bug bounties later this year. For more, see below.

1st phase: the FOSSA pilot project

In 2014, I started the Free and Open Source Software Audit (FOSSA) project to help improve the overall security of the Internet, after severe vulnerabilities were discovered in key infrastructure components like OpenSSL.

A first “pilot project” phase completed in November 2016. Apache and KeePass received a security audit as a part of this first phase.

Security audit for our common infrastructure

The Internet is built on Free and Open Source Software. It is part of our every day lives. Therefore the European Commission and public administrations in general have a responsibility to ensure its stability, reliability and security – by investing in it.

2nd phase: the FOSSA preparatory action

In 2017, FOSSA was renewed for an additional 3 years. With the introduction of bug bounties as a part of FOSSA 2, I want the EU to reach out more directly to developers, security researchers, and hackers.

FOSSA is managed and executed by the European Commission.

FOSSA bug bounty

A Bug Bounty is a prize for people who actively search for security issues. Usually, the amount depends on the budget of the software or hardware scrutinized, and the severity of the issue uncovered.

VLC Media Player LogoIn November 2017, the Commission announced to run the first bug bounty of FOSSA 2 on VLC Media Player as a proof of concept. According to the Commission, this allowed them to acquire experience in running bug bounties that can then be used for the main project.
You can read an interview with the managing team on the bug bounty platform HackerOne’s web site.

Companies can apply to run the bug bounties in a public Call for Tenders that was launched in April 2018. The main bug bounties are expected to start in fall this year.

Outreach: FOSSA hackathons

One of the main outcomes of the first FOSSA year was the idea that audits alone aren’t sufficient to increase security. Instead, we must approach security already in software development. To that end, we want to invite projects to Brussels to spend time together to work on security-relevant issues in their software, and to learn more about secure software development.

After the bug bounties, and hopefully lots of bugs have been found, the Commission will run several hackathons where developers from both the projects and the European Institutions that rely on their software, can come together.

The Commission will also continue to reach out to the Free Software community at conferences and events.

Free Software security should be a permanent EU budget item

I think that the security of Free Software is in our common interest. Not only do people rely on Free Software for their daily use, they also rely on it because it is the foundation of the Internet infrastructure. Consequently, the European Institutions, governments and administration throughout Europe and beyond rely on its security.

That is why the goal with the FOSSA project is to establish Free Software Security as a permanent item in the EU budget.

To the extent possible under law, the creator has waived all copyright and related or neighboring rights to this work.

Comments closed.