The European Union is about to sponsor 14 bug bounty programs for vulnerabilities in 14 popular open-source software projects. The announcement was made a few days ago by Julia Reda, who represents the German Pirate Party in the European Parliament.
The new bounty project is being sponsored by the Free and Open Source Software Audit, or FOSSA.
So, what’s the third edition of FOSSA all about and what does it mean for security researchers?
Third Edition of FOSSA Starting in January 2019
First of all, let’s see the 14 software projects that are part of the new bounty program. The complete list consists of 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, midPoint, Notepad++, PuTTY, the Symfony PHP framework, VLC Media Player, and WSO2. As already mentioned, the bug bounties are sponsored by the FOSSA project as part of their third edition.
The project was first started in 2015. Its initiation was triggered by the discovery of severe flaws in the OpenSSL library, such as the infamous Heartbleed vulnerability. As explained by Reda in her announcement, “the issue made lots of people realize how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure”.
As for the funding, the European Union is offering $1 million for the bug bounty programs for the 14 companies listed above, with rewards ranging from $25,000 to $90,000. Some of the programs will continue until the summer of 2019, and others are expected to run until the end of next year. It should be noted that the highest payments will be given for vulnerabilities in PuTTY and Drupal.
How can researchers participate? Interested experts will be invited to submit their discoveries using the HackerOne and Deloitte’s Intigriti crowdsourced security platforms.
The first edition of FOSSA took place between 2015 and 2016, and involved three major sub-projects: the establishment of an inventory of the free software used by the European Parliament, an analysis of how developers handle security, and security audits of the Apache web server and the KeePass password manager.
FOSSA 2 took place in 2017 as a bug bounty program on HackerOne specifically for the VLC Media Player app. This year FOSSA returns in its third phase involving the 14 bug bounty programs. Security researchers will soon be able to locate and report security flaws in the open source projects. Rewards will be given to those whose reports are approved, and patches are released.