Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Open Source

1/3/2019
08:15 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

EU's FOSSA Project Launches New Bug Bounty Program

The European Union's FOSSA project is launching its first-ever bug bounty program that will focus on 15 different software platforms starting later in January.

The Free and Open Source Software Audit (FOSSA) is a project of the European Union that got its start in 2014 thanks to two people: Julia Reda, a Member of European Parliament (MEP) from the Pirate Party, and Max Andersson, MEP from the Green Party.

The project was a specific response to the Heartbleed vulnerability in OpenSSL.

It originally had as its focus the performance of security audits focused on the FOSS software commonly in use in the EU. The first year of FOSSA, from 2015 to 2016, found "the idea that audits alone aren't sufficient to increase security," according to Reda's blog.

However, audits were performed during the first year of FOSSA on the Apache web server and the KeePass password manager.

Now, Reda announced on her blog that FOSSA will be putting some money where its goals are. Starting January 7, there will be €851,000 ($966,000) available for bug bounties for finding vulnerabilities in 15 different software programs. The rewards will be variable, and specifically keyed to the severity of the security issues that are reported and the importance of the software they affect.

(Source: iStock)
(Source: iStock)

The programs that will be looked at under the project include Filezilla, Apache Kafka, Apache Tomcat, Notepad++, PuTTY, VLC, FLUX TL, KeePass, 7-Zip, Digital Signature Services (DSS), Drupal, glibc, PHP Symfony, WSO2 and midPoint.

HackerOne and Deloitte's Intigriti crowdsourced security platforms are being used to handle the details of the project and submissions. Reda also noted:

The software projects chosen were previously identified as candidates in the inventories [that the EU did in the first year of FOSSA to determine what specific software it relied on -- Ed.] and a public survey.

The bounties paid will be between €25,000 ($28,000) and €90,000 ($103,000). PuTTY and Drupal have the highest bounty amounts associated with them.

Some of the bounties for various programs will run until being ended this summer, but the Drupal effort won't close until October 15, 2020.

FOSSA tried a proof-of-concept bug bounty effort in 2017 using VLC Media Player as the test subject, with €60,000 ($68,000) in funding. This gave the EU some practical experience in running this kind of program.

In her blog, Reda notes that she's looking forward to other parts of FOSSA besides bounties. She notes that they have planned a series of hackathons that will allow software developers from within the EU institutions, and developers from Free Software projects, to work more closely together as well as to collaborate directly on the software that is in wide use.

Note: the Reda blog has a table that specifies the exact bounties and closing dates.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-41086
PUBLISHED: 2021-09-21
jsuites is an open source collection of common required javascript web components. In affected versions users are subject to cross site scripting (XSS) attacks via clipboard content. jsuites is vulnerable to DOM based XSS if the user can be tricked into copying _anything_ from a malicious and pastin...
CVE-2021-41087
PUBLISHED: 2021-09-21
in-toto-golang is a go implementation of the in-toto framework to protect software supply chain integrity. In affected versions authenticated attackers posing as functionaries (i.e., within a trusted set of users for a layout) are able to create attestations that may bypass DISALLOW rules in the sam...
CVE-2020-19554
PUBLISHED: 2021-09-21
Cross Site Scripting (XSS) vulnerability exists in ManageEngine OPManager <=12.5.174 when the API key contains an XML-based XSS payload.
CVE-2020-35540
PUBLISHED: 2021-09-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2020. Notes: none.
CVE-2020-35541
PUBLISHED: 2021-09-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2020. Notes: none.