EU Launches Bug Bounty for 15 Open Source Projects

Bug Bounty for 15 Open Source Projects

EU has recenlty announced the launch of a bug bounty program as part of the Free and Open Source Software Audit (FOSSA). The launch is to be done in partnership with HackerOne and Intigriti The 15 open source applications are 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, midPoint, Notepad++, PHP Symfony, PuTTY, VLC Media Player and WSO2, according to EU Parliament member Julia Reda.

Reda, who has written extensively about the security risks in Open SSL, launched the FOSSA project with her colleague Max Andersson in 2015, which is moving into phase three. The first 14 bug bounty projects will commence in January 2019, with the final project beginning in March.

While bug bounty programs call upon the hacker community to come together in search of vulnerabilities, applying the crowdsourced concept to open source presents unexpected challenges, according to Tim Mackey, senior technical evangelist at Black Duck by Synopsys.

“Since bug bounty programs favor the discovery of issues with an implicit assumption resources exist to resolve found issues, any security issue disclosed in public leaves users vulnerable until a fix is found.

“Once a fix is created, that fix needs to be delivered to users. This is by far the most significant hurdle for bug bounty–based efforts in FOSS. The core challenge being an assumption valid only with commercial software – [that] there is a single release stream to upgrade. As the FOSS community knows very well, branches of releases are very common, and it may be difficult to apply a fix from one branch to another.”