EU's FOSSA Project Launches New Bug Bounty Program

The Free and Open Source Software Audit (FOSSA) is a project of the European Union that got its start in 2014 thanks to two people: Julia Reda, a Member of European Parliament (MEP) from the Pirate Party, and Max Andersson, MEP from the Green Party.

The project was a specific response to the Heartbleed vulnerability in OpenSSL.

It originally had as its focus the performance of security audits focused on the FOSS software commonly in use in the EU. The first year of FOSSA, from 2015 to 2016, found "the idea that audits alone aren't sufficient to increase security," according to Reda's blog.

However, audits were performed during the first year of FOSSA on the Apache web server and the KeePass password manager.

Now, Reda announced on her blog that FOSSA will be putting some money where its goals are. Starting January 7, there will be €851,000 ($966,000) available for bug bounties for finding vulnerabilities in 15 different software programs. The rewards will be variable, and specifically keyed to the severity of the security issues that are reported and the importance of the software they affect.

(Source: iStock)

The programs that will be looked at under the project include Filezilla, Apache Kafka, Apache Tomcat, Notepad++, PuTTY, VLC, FLUX TL, KeePass, 7-Zip, Digital Signature Services (DSS), Drupal, glibc, PHP Symfony, WSO2 and midPoint.

HackerOne and Deloitte's Intigriti crowdsourced security platforms are being used to handle the details of the project and submissions. Reda also noted:

"The software projects chosen were previously identified as candidates in the inventories [that the EU did in the first year of FOSSA to determine what specific software it relied on -- Ed.] and a public survey."

The bounties paid will be between €25,000 ($28,000) and €90,000 ($103,000). PuTTY and Drupal have the highest bounty amounts associated with them.

Some of the bounties for various programs will run until being ended this summer, but the Drupal effort won't close until October 15, 2020.

FOSSA tried a proof-of-concept bug bounty effort in 2017 using VLC Media Player as the test subject, with €60,000 ($68,000) in funding. This gave the EU some practical experience in running this kind of program.

In her blog, Reda notes that she's looking forward to other parts of FOSSA besides bounties. She notes that they have planned a series of hackathons that will allow software developers from within the EU institutions, and developers from Free Software projects, to work more closely together as well as to collaborate directly on the software that is in wide use.

Note: the Reda blog has a table that specifies the exact bounties and closing dates.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.