European Commission launches new open source software bug bounty scheme


Jessica HaworthJanuary 21, 2022 at 4:00 PM UTC

Updated: January 21, 2022 at 4:20 p.m. UTC

Hackers urged to test services used by EU agencies

The European Commission (EC) has launched a bug bounty program for open source projects that underpin its public services.

Bug bounty hunters will be offered up to €5,000 ($5,600) to find security vulnerabilities in open source software used in the European Union (EU), including LibreOffice, LEOS, Mastodon, Odoo and CryptPad.

The scheme, run by European bug bounty platform Intigriti, will also offer a 20% bonus if a code fix for bugs is provided to it by researchers.

In A declaration published on January 19, the EC said it was looking for reports of security vulnerabilities such as personal data leaks, horizontal/vertical elevation of privilege, and SQL injection. The highest reward will be paid for “exceptional vulnerabilities”.

Learn about the latest bug bounty news

This latest program follows the EU’s FOSSA program, which has paid out more than $220,000 in 18 months of operation, and has been hailed as a “remarkable success”.

Talk to The daily sip, Inti De Ceukelaire, head of hackers at Intigriti, said the partnership was born last year, when Intigriti ran a program funded by the EC’s ISA2 program.

“We are committed to further nurturing the relationship with open source communities that we have established over the past few years,” he said.

“I personally believe that every government agency should have and encourage the use of vulnerability disclosure policies, and introduce or pass unambiguous laws to support vulnerability research. Bug bounties, among other crowdfunding initiatives, are a great way to encourage that.”

YOU MIGHT LIKE The blame game: EU criticized for ‘fragmented and slow’ approach to attribution of cyberattacks

De Ceukelaire added: “Almost all organizations use open source projects in one way or another. Identifying and fixing security vulnerabilities in these projects has a large-scale impact.

“The Log4j incident has shown us that security support for widely used open source projects is an absolute must, so we can only applaud this initiative from the European Commission.”

Odoo is currently an invite-only program, but other programs can be found at Intigriti’s website.

RECOMMENDED White House tackles ‘unique security challenges’ facing open source ecosystem at dedicated virtual summit


Comments are closed.