Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Open Source

1/3/2019
08:15 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

EU's FOSSA Project Launches New Bug Bounty Program

The European Union's FOSSA project is launching its first-ever bug bounty program that will focus on 15 different software platforms starting later in January.

The Free and Open Source Software Audit (FOSSA) is a project of the European Union that got its start in 2014 thanks to two people: Julia Reda, a Member of European Parliament (MEP) from the Pirate Party, and Max Andersson, MEP from the Green Party.

The project was a specific response to the Heartbleed vulnerability in OpenSSL.

It originally had as its focus the performance of security audits focused on the FOSS software commonly in use in the EU. The first year of FOSSA, from 2015 to 2016, found "the idea that audits alone aren't sufficient to increase security," according to Reda's blog.

However, audits were performed during the first year of FOSSA on the Apache web server and the KeePass password manager.

Now, Reda announced on her blog that FOSSA will be putting some money where its goals are. Starting January 7, there will be €851,000 ($966,000) available for bug bounties for finding vulnerabilities in 15 different software programs. The rewards will be variable, and specifically keyed to the severity of the security issues that are reported and the importance of the software they affect.

(Source: iStock)
(Source: iStock)

The programs that will be looked at under the project include Filezilla, Apache Kafka, Apache Tomcat, Notepad++, PuTTY, VLC, FLUX TL, KeePass, 7-Zip, Digital Signature Services (DSS), Drupal, glibc, PHP Symfony, WSO2 and midPoint.

HackerOne and Deloitte's Intigriti crowdsourced security platforms are being used to handle the details of the project and submissions. Reda also noted:

The software projects chosen were previously identified as candidates in the inventories [that the EU did in the first year of FOSSA to determine what specific software it relied on -- Ed.] and a public survey.

The bounties paid will be between €25,000 ($28,000) and €90,000 ($103,000). PuTTY and Drupal have the highest bounty amounts associated with them.

Some of the bounties for various programs will run until being ended this summer, but the Drupal effort won't close until October 15, 2020.

FOSSA tried a proof-of-concept bug bounty effort in 2017 using VLC Media Player as the test subject, with €60,000 ($68,000) in funding. This gave the EU some practical experience in running this kind of program.

In her blog, Reda notes that she's looking forward to other parts of FOSSA besides bounties. She notes that they have planned a series of hackathons that will allow software developers from within the EU institutions, and developers from Free Software projects, to work more closely together as well as to collaborate directly on the software that is in wide use.

Note: the Reda blog has a table that specifies the exact bounties and closing dates.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-41163
PUBLISHED: 2021-10-20
Discourse is an open source platform for community discussion. In affected versions maliciously crafted requests could lead to remote code execution. This resulted from a lack of validation in subscribe_url values. This issue is patched in the latest stable, beta and tests-passed versions of Discour...
CVE-2021-42299
PUBLISHED: 2021-10-20
Microsoft Surface Pro 3 Security Feature Bypass Vulnerability
CVE-2021-42771
PUBLISHED: 2021-10-20
Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.
CVE-2021-42764
PUBLISHED: 2021-10-20
The Proof-of-Stake (PoS) Ethereum consensus protocol through 2021-10-19 allows an adversary to cause a denial of service (delayed consensus decisions), and also increase the profits of individual validators, via short-range reorganizations of the underlying consensus chain.
CVE-2021-42765
PUBLISHED: 2021-10-20
The Proof-of-Stake (PoS) Ethereum consensus protocol through 2021-10-19 allows an adversary to leverage network delay to cause a denial of service (indefinite stalling of consensus decisions).