EU to fund bug bounty programs for 14 open source projects starting January 2019

Some of the approved projects include KeePass, 7-zip, VLC Media Player, Drupal, and FileZilla.

GitHub: EU copyright crackdown could hurt open source development New regulations could force platforms hosting code repositories to scan uploaded code.

The European Union will foot the bill for bug bounty programs for 14 open source projects, EU Member of Parliament Julia Reda announced this week.

The 14 projects are, in alphabetical order, 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, midPoint, Notepad++, PuTTY, the Symfony PHP framework, VLC Media Player, and WSO2.

The bug bounty programs are being sponsored as part of the third edition of the Free and Open Source Software Audit (FOSSA) project.

EU authorities first approved FOSSA in 2015, after security researchers discovered a year earlier severe vulnerabilities in the OpenSSL library, an open source project used by many websites to support HTTPS connections.

"The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure," said Reda in her announcement. "Like many other organisations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things."

The first FOSSA edition ran between 2015 and 2016, as a pilot program, with an initial budget of €1 million. The EU inventorized the most popular open source projects used by EU offices and officials, and they held a public survey to decide what program that should sponsor a security audit for. Two projects were selected, the Apache HTTP web server and the KeePass password manager.

FOSSA 2 ran throughout 2017 as a bug bounty program on HackerOne for the VLC Media Player app. The program received €2 million in funding, but the bug bounty program's budget was capped at €60,000.

Now, FOSSA returns for its third edition with budgets for 14 bug bounty programs, with the highest budgets being reserved for PuTTY and the Drupal CMS.

Software ProjectBug Bounty Amount (Euro)Start DateEnd DateBug Bounty Platform
Filezilla 58.000,00 € 07/01/2019 15/08/2019 HackerOne
Apache Kafka 58.000,00 € 07/01/2019 15/08/2019 HackerOne
Notepad++ 71.000,00 € 07/01/2019 15/08/2019 HackerOne
PuTTY 90.000,00 € 07/01/2019 15/12/2019 HackerOne
VLC Media Player 58.000,00 € 07/01/2019 15/08/2019 HackerOne
FLUX TL 34.000,00 € 15/01/2019 15/10/2019 Intigriti/Deloitte
KeePass 71.000,00 € 15/01/2019 31/07/2019 Intigriti/Deloitte
7-zip 58.000,00 € 30/01/2019 15/04/2020 Intigriti/Deloitte
Digital Signature Services (DSS) 25.000,00 € 30/01/2019 15/10/2019 Intigriti/Deloitte
Drupal 89.000,00 € 30/01/2019 15/10/2020 Intigriti/Deloitte
GNU C Library (glibc) 45.000,00 € 30/01/2019 15/12/2019 Intigriti/Deloitte
PHP Symfony 39.000,00 € 30/01/2019 15/10/2019 Intigriti/Deloitte
Apache Tomcat 39.000,00 € 30/01/2019 15/10/2019 Intigriti/Deloitte
WSO2 58.000,00 € 30/01/2019 15/04/2020 Intigriti/Deloitte
midPoint 58.000,00 € 01/03/2019 15/08/2019 HackerOne

Starting with January, security researchers and security companies can hunt vulnerabilities in these open source projects and report them to the bug bounty programs linked above, in the hopes of a monetary reward, if the bug report is approved and results in a patch.

Related cybersecurity coverage: