EU announces FOSSA bug bounty programme worth nearly €1m - but is it enough?

News by Davey Winder

As the EU launches financial incentives to find bugs in popular open source software, experts warn that there may not be enough resources to respond to waves of bug reports.

Will open source developers be able to keep up? (Pic: LdF/Getty Images)

Julia Reda, European Pirate Party member and founder of the Free and Open Software Audit (FOSSA) programme, has announced the launch of an European Commission sponsored bug bounty fund to find vulnerabilities in some of the most popular free and open source software used by EU institutions.

The fund, totalling €851,000, will be used to incentivise the hunt for vulnerabilities in such applications as 7-zip, Apache Tomcat, Drupal, FileZilla, KeePass, Notepad++ and VLC.

Altogether there are 14 bug bounties being launched during January, with a 15th being made available in March. How much money is up for grabs varies depending upon the nature of the vulnerability uncovered and the relative importance of the software, but the minimum single bounty is set at €25,000 with a maximum of €90,000.

"Like many other organisations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things," Reda explained in her announcement. "The EU is launching bug bounties on Free Software projects to increase the security of the Internet!"

Anyone can take part by submitting vulnerabilities to the relevant bug bounty platforms. HackerOne is the platform handling Apache Kafka, FileZilla, midPoint, Notepad++, PuTTY and VLC Media Player while the remaining nine pieces of software are being handled by Intigriti/Deloitte.

SC Media UK reached out to HackerOne CEO, Marten Mickos, to ask if there are potential problems ahead for free and open source software if the people developing and maintaining the projects are overwhelmed by bug reports?

"All improvement starts with acknowledgment of a weakness," Mickos said. "Reporting a security vulnerability is always better than not reporting it, and knowing about it is always better than not knowing about it."

When it comes to smaller open source projects, to the degree such software is in critical use by society, Mickos agrees that there needs to be help to not only find but fix vulnerabilities.

"In the last few years, the Linux Foundation has been making sure that key open source projects have maintainers with the ability to fix bugs and vulnerabilities," Mickos said. "We should broaden such initiatives and do more for open source projects. The EU FOSSA initiative is a great step in the right direction."

Tim Mackey, senior technical evangelist at Synopsys, applauded the EU for stepping into the security debate with this bug bounty programme but told SC he would be happier had they also funded developers and security professionals to work with the communities creating their target applications.

"That way not only are issues being discovered," Mackey said, "but the overall process can be improved while addressing any issues uncovered."

He makes a good point, not least as the 'many eyes' concept is seen by some security professionals as problematic. "In the open source arena, it’s a common misconception that somebody else in the community is looking for the security defect," Paul Farrington, director of solutions architecture (EMEA) at Veracode said.

The 2018 State of Software Security Report from Veracode hammers home that point by finding 87.5 percent of Java applications contained at least one open source library with vulnerabilities included.

"You can’t rely on detecting the majority of vulnerabilities by employing an army of people to do what automation does better," Farrington argued. "Some of the projects in scope for the EU testing rely on other open source projects known to have vulnerabilities associated with them – a simple software composition analysis scan would reveal the use of such insecure libraries."

Malcolm Taylor, head of cyber-security at ITC Secure, is broadly welcoming of the EU initiative but not for the reason you might imagine. Rather than thinking it will necessarily lead to more bugs being identified, he is happy because it is yet more incentive and pressure for people to act on security challenges.

"Whilst not all open source projects will directly benefit," Taylor said, "the uplift in the common understanding is beneficial regardless." 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews