The European Commission’s Open Source Programme Office has decided to offer bug bounties on popular open source software. What better way of acknowledging OSS’s importance than by a state-driven sponsorship?
Open Source Software powers everything, from modern servers, to IoT, to the desktops at work and, as it seems, is at the heart of European Union systems too. While this EU bug bounty initiative is welcome, it is not something new; I covered the origins of the program in 2019, see “EU Bug Bounty – Software Security as a Civil Right”.
Back then the bounty was focused on OpenSSL and the Heartbleed bug. As everyone knows OpenSSL is really the cornerstone of todays internet-based communication and as such bugs in it compromise the very fabric of society. From the article:
It is amazing to think that the OpenSSL Software Foundation which is responsible for the maintenance of the OpenSSL library, the cornerstone of safe transactions on the Internet used by millions of websites and organizations, receives just $2000 of donation money per year and has only ONE full-time employee working on the library.
All that was revealed after the discovery of the Heartbleed bug, something that finally shook the waters and motivated the big industry names to support the foundation with proper funding.
As such the EU Bug Bounty initiative was launched as part of the Free and Open Source Software Audit (FOSSA) project, thanks to Julia Reda MEP of the EU Pirate Party, who started the project thinking that enough is enough after severe vulnerabilities were discovered in key infrastructure components like OpenSSL. This prompted her to involve the EU Commission in contributing to the security of the Internet.
Patrice-Emmanuel Schmitz, legal expert of Joinup (a venue that enables public administrations, businesses and citizens to share and reuse IT solutions and good practices across Europe) added:
Like bread and beer, free software development is not for free: developers need some incentives, let’s say just the money they need for purchasing their bread and beer or for ensuring their family a decent way of life.
In order to provide these incentives, the European Commission is launching in January about 15 bug bounties on Free Software projects that the EU institutions rely on. A bug bounty is a prize for people who actively search for security issues. The amount of the bounty depends on the severity of the issue uncovered and the relative importance of the software.
Now there’s another round of cybersecurity sponsorship, but under a new name – European Commission Open Source Programme Office (EC OSPO). This time the EU pays for finding security vulnerabilities in LibreOffice, LEOS, Mastodon, Odoo and CryptPad, with an added 20% bonus for providing a code fix for the bugs discovered.
This bonus is very important as once a vulnerability has been identified and reported in many cases the maintainers of the project are slow in getting a patch out. The bonus tries to incentivize bug hunters to propose fixes it as well as finding vulnerabilities, hence leading to a much shorter response time.
The criteria for choosing particular applications were based on their actual use. All of them are open source solutions used by public services across the European Union:
- LibreOffice – the free and powerful office suite.
- Mastodon – a free, open-source social network server based on ActivityPub where users can follow friends and discover new ones.
- Odoo – an ERP business management solution with a eCommerce and CRM system built in.
- Cryptpad – a secure and encrypted open-source collaboration platform that allows people to work together online on documents, spreadsheets, and other types of documents.
- LEOS – software tool helping those involved in drafting legislation, which is usually a complex process requiring eﬃcient online collaboration.
It seems that the security of desktop apps is considered at par with those of the server-side kind. In some cases client-side attacks can be even more dangerous because desktop apps are consumed en masse, and when exploited it’s not just some vague hacking attack happening on the Internet resulting in the leaking of credentials and personal information, but taking full control of the users’ PCs, therefore of their complete digital life.
Bug hunters are called to find security vulnerabilities such as leaks of personal data, horizontal/vertical privilege escalation and SQLi. The highest reward will be EUR 5,000 for exceptional vulnerabilities plus, as already mentioned, a 20% bonus if the fix is also provided. The bug bounty is going to be based on the Intigriti platform, which work with teams of every size, shape and industry based in Europe to secure digital assets, protect confidential information and customer data, and strengthen a responsible disclosure process.
EU Bug Bounty – Software Security as a Civil Right
or email your comment to: [email protected]