Sponsored By

The European Union's FOSSA project is launching its first-ever bug bounty program that will focus on 15 different software platforms starting later in January.

Larry Loeb

January 3, 2019

3 Min Read

The Free and Open Source Software Audit (FOSSA) is a project of the European Union that got its start in 2014 thanks to two people: Julia Reda, a Member of European Parliament (MEP) from the Pirate Party, and Max Andersson, MEP from the Green Party.

The project was a specific response to the Heartbleed vulnerability in OpenSSL.

It originally had as its focus the performance of security audits focused on the FOSS software commonly in use in the EU. The first year of FOSSA, from 2015 to 2016, found "the idea that audits alone aren't sufficient to increase security," according to Reda's blog.

However, audits were performed during the first year of FOSSA on the Apache web server and the KeePass password manager.

Now, Reda announced on her blog that FOSSA will be putting some money where its goals are. Starting January 7, there will be €851,000 ($966,000) available for bug bounties for finding vulnerabilities in 15 different software programs. The rewards will be variable, and specifically keyed to the severity of the security issues that are reported and the importance of the software they affect.

(Source: iStock)

(Source: iStock)

The programs that will be looked at under the project include Filezilla, Apache Kafka, Apache Tomcat, Notepad++, PuTTY, VLC, FLUX TL, KeePass, 7-Zip, Digital Signature Services (DSS), Drupal, glibc, PHP Symfony, WSO2 and midPoint.

HackerOne and Deloitte's Intigriti crowdsourced security platforms are being used to handle the details of the project and submissions. Reda also noted:

"The software projects chosen were previously identified as candidates in the inventories [that the EU did in the first year of FOSSA to determine what specific software it relied on -- Ed.] and a public survey."

The bounties paid will be between €25,000 ($28,000) and €90,000 ($103,000). PuTTY and Drupal have the highest bounty amounts associated with them.

Some of the bounties for various programs will run until being ended this summer, but the Drupal effort won't close until October 15, 2020.

FOSSA tried a proof-of-concept bug bounty effort in 2017 using VLC Media Player as the test subject, with €60,000 ($68,000) in funding. This gave the EU some practical experience in running this kind of program.

In her blog, Reda notes that she's looking forward to other parts of FOSSA besides bounties. She notes that they have planned a series of hackathons that will allow software developers from within the EU institutions, and developers from Free Software projects, to work more closely together as well as to collaborate directly on the software that is in wide use.

Note: the Reda blog has a table that specifies the exact bounties and closing dates.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Read more about:

Security Now

About the Author(s)

Larry Loeb

Blogger, Informationweek

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. His first Mac had 128 KB of memory, which was a big step up from his first 1130, which had 4 KB, as did his first 1401. You can e-mail him at [email protected].

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights