EU to fund bug bounties for open source projects including PuTTY, Notepad++, KeePass, Filezilla and VLC
Why it matters: The internet largely relies on open source projects to survive, but these are often developed by hardworking and charitable developers rather than well-paid employees. An unfortunate consequence of this is that developers simply don’t get the time and resources they require to hunt down the vulnerabilities that are so pervasive in complex code.
The European Union has recognized this problem, and as part of their Free and Open Source Software Audit (FOSSA) they’ve set up a bug bounty for 15 applications. The bounty ranges from $30,000 to $100,000 depending on the software in question, and of course, on the seriousness of the vulnerability discovered.
In order of most well-paying to least, the software list includes: PuTTY, Drupal, Notepad++, KeePass, Filezilla, Apache Kafka, VLC Media Player, 7-zip, WSO2, midpoint, GNU C Library, PHP Symfony, Apache Tomcat, and Flux TL.
FOSSA, and the introduction of these bug bounties, comes via EU Member of Parliament Julia Reda. According to her blog post on the bounties, FOSSA launched as a direct result of vulnerabilities found in the open source library OpenSSL in 2014.
The issue made lots of people realize how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure. Like many other organisations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things.
But the Internet is not only crucial to our economy and our administration. It is the infrastructure that runs our everyday lives. It is the means we use to retrieve information and to be politically active. That is why my colleague Max Andersson and I started the Free and Open Source Software Audit project: FOSSA.
FOSSA launched phase one in 2015, where it conducted a public survey about what to audit. The results were Apache HTTP web servers and password manager KeePass, and they audited them both with a $1.15 million budget in 2016. Phase two launched last year, where they ran a bug bounty program on HackerOne for the VLC Media Player app.
Phase three was in planning this year and will officially kick off throughout January next year, as each of these bug bounties go live on Intigriti and HackerOne.