The European Union will pay to find bugs in open source software


The European Commission’s Open Source Program Office has decided to offer bug bounties on popular open source software. What better way to recognize the importance of the OSS than through state sponsorship?

Open source software powers everything from modern servers to the IoT to desktops at work and, it seems, is also at the heart of European Union systems. While this EU bug bounty initiative is welcome, it’s not something new; I covered the origins of the program in 2019, see “EU Bug Bounty – Software Security as a Civil Right”.

At the time, the bounty focused on OpenSSL and the Heartbleed bug. As everyone knows, OpenSSL is truly the cornerstone of today’s Internet communication, and as such, the bugs in it compromise the very fabric of society. From the article:

It’s amazing to think that the OpenSSL Software Foundation, which is responsible for maintaining the OpenSSL library, the cornerstone of secure Internet transactions used by millions of websites and organizations, gets just $2,000 from donations per year and has only ONE full-time employee working in the library.

This all came to light after the discovery of the Heartbleed bug, something that finally shook the waters and motivated big names in the industry to support the foundation with proper funding.

Thus, the EU Bug Bounty initiative was launched as part of the Free and Open Source Software Audit (FOSSA) project, thanks to EU Pirate Party MEP Julia Reda, who started the project thinking that too this is too much after the discovery of serious vulnerabilities in key infrastructure components like OpenSSL. This prompted her to involve the European Commission in its contribution to Internet security.

Patrice-Emmanuel Schmitz, legal expert at Joinup (a place that allows public administrations, businesses and citizens to share and reuse IT solutions and best practices across Europe) added:

Like bread and beer, free software development is not free: developers need incentives, let’s just say the money they need to buy their bread and beer or to provide their families with a decent life.

In order to provide these incentives, the European Commission is launching around 15 bug bounties in January on free software projects that EU institutions rely on. A bug bounty is a prize for people who actively seek out security issues. The amount of the bounty depends on the seriousness of the problem discovered and the relative importance of the software.

There is now another cybersecurity sponsorship round, but under a new name – European Commission Open Source Program Office (EC OSPO). This time the EU is paying to find security vulnerabilities in LibreOffice, LEOS, Mastodon, Odoo and CryptPad, with an additional 20% bonus for providing a code fix for bugs found.

This bonus is very important because once a vulnerability has been identified and reported, in many cases project managers are slow to release a fix. The bonus tries to incentivize bug hunters to come up with fixes as well as find vulnerabilities, resulting in a much faster response time.

The criteria for choosing particular applications were based on their actual use. All are open source solutions used by public services throughout the European Union:

  • LibreOffice – the free and powerful office suite.
  • Mastodon – a free and open source social network server based on ActivityPub where users can follow friends and discover new ones.
  • Odoo – an ERP business management solution with an integrated e-commerce and CRM system.
  • Cryptpad – a secure and encrypted open source collaboration platform that allows users to work together online on documents, spreadsheets and other types of documents.
  • LEOS – software tool helping those involved in drafting legislation, which is usually a complex process requiring efficient online collaboration.

It seems that the security of desktop applications is considered on the same level as those of the server-side type. In some cases, client-side attacks can be even more dangerous because desktop applications are consumed en masse, and when exploited, it’s not just a vague internet hacking attack that leaks data. ‘identification information and personal information, but of taking full control of users’ PCs, and therefore of their entire digital lives.

Bug hunters are called upon to find security vulnerabilities such as personal data leaks, horizontal/vertical elevation of privileges and SQLi. The highest reward will be EUR 5,000 for exceptional vulnerabilities plus, as already mentioned, a 20% bonus if the fix is ​​also provided. The bug bounty will be based on the Intigrity platform, which works with teams of all sizes, shapes and industries based in Europe to secure digital assets, protect confidential information and customer data and strengthen a responsible disclosure process.

More information

The European Commission’s Open Source Program Office launches bug bounties

Related Articles

EU Bug Bounty – Software security as a civil right

Joinup-Software Security IS a civil right

To be informed of new articles on I Programmer, subscribe to our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook Where LinkedIn.




or send your comment to: [email protected]


Comments are closed.