Open source software vulnerability bounty program

This program will focus on the 14 open source products used by the organization

According to cybersecurity and ethical hacking specialists from the International Institute of Cyber Security, the European Union will launch a vulnerability bounty program for the 14 open source products that the organization uses. Julia Reda, Member of the European Parliament, recently announced that the European Commission will offer rewards worth up to €581k thanks to the Free and Open Source Software Audit (FOSSA) program.

The program will enter into force from January 2019 and is part of the third edition of the FOSSA Project of the European Union, approved by the member countries in 2015, after severe vulnerabilities were discovered in the OpenSSL library in 2014.

According to specialists in cybersecurity, the tools included in this rewards program include 7-Zip, Apache, Tomcat, Apache Kafka, Filezilla, Drupal, some digital signature services (DSS), Symfony PHP, VLC Media Player, among others.

During the announcement, the European Parliament highlighted the importance of open source software: “The 2014 incident made us realize the importance of the use of open software for the reliability of many computer infrastructures. Like many other organizations, the European Union is based on the use of free software to manage multiple platforms”.

The first edition of the FOSSA program was held in 2016, had a budget close to €1M and sponsored the security audit of the web server KeePass and Apache HTTP. During the second edition, the program counted on a budget of €2M, which covered various vulnerabilities of the VCL Media Player application.

From January 2019 onwards, independent experts and cybersecurity firms will be able to start looking for bugs in these open source projects to access various rewards. Security vulnerabilities for Apache Kafka, Notepad + +, putty, Filezilla and VLC Media Player will be sent as of January 7, 2019, through the HackerOne vulnerability bounty coordination platform.

As of March 1, 2019, the vulnerabilities of Midpoint, the government platform for identity management, will be reported. Security audits for the remaining nine products will be coordinated through a Brussels-based collective distribution security platform.

Through her personal blog, Julia Reda comments that the European Union also plans to conduct a series of ethical hacking and cybersecurity events. In addition, Reda says that in the future the FOSSA program will focus mainly on Drupal and developers will find the necessary motivation to build safe products.