The European Union (EU) has announced it is to support several open source bug bounty programmes. It is doing so in order to protect the open source software that the EU is becoming ever more reliant upon. The move was announced by Member of the European Parliant (MEP) Julia Reda who listed 15 projects. However, only 14 will receive funding although it is not clear which one will be left out.
The 15 projects, the size of the bug bounty and the bug bounty platform were detailed by Reda. The list is:
|Software Project||Bug Bounty Amount (Euro)||Start Date||End Date||Bug Bounty Platform|
|Apache Kafka||58.000,00 €||07/01/2019||15/08/2019||HackerOne|
|VLC Media Player||58.000,00 €||07/01/2019||15/08/2019||HackerOne|
|FLUX TL||34.000,00 €||15/01/2019||15/10/2019||Intigriti/Deloitte|
|Digital Signature Services (DSS)||25.000,00 €||30/01/2019||15/10/2019||Intigriti/Deloitte|
|GNU C Library (glibc)||45.000,00 €||30/01/2019||15/12/2019||Intigriti/Deloitte|
|PHP Symfony||39.000,00 €||30/01/2019||15/10/2019||Intigriti/Deloitte|
|Apache Tomcat||39.000,00 €||30/01/2019||15/10/2019||Intigriti/Deloitte|
In all, this amounts to over €851,000 (£762,500, US$972,100). While this might seem a large amount of money it is relatively small in terms of bug bounties. It will also have to be split over multiple bugs as they are reported making it difficult to know what each security researcher can expect to earn.
Bug bounties key to improving the underlying software
Advocates of open source say that it is more secure than commercial software due to the number of people looking at the source code. That sounds good but as we’ve seen in recent years, it is far from reality. That is because it relies on the willingness of an often very small group of people to validate the code from others. It also often assumes that older code has been checked and no longer needs to be looked at.
Bug bounties change that relationship. It provides a reason for people to check the code contributed by others. It also helps the community to create better mechanisms to ensure that it deals with security earlier in the software development cycle.
However, even when bugs are found and fixed, it does not make those using the software any more secure. That is because simply fixing the underlying code does not mean that users will update their version of the software. Without that step, bug fixes have very limited use. This is not just about individual instances of the software. As the EU and other organisations move further down the path of greater software integration, it only takes one unpatched project to cause problems for everyone.
Drupal is a good example of this. It was a target for several attacks last year that exploited known bugs. However, as of 27 December 2018, NTT Security reported it had found around 62,00 unpatched public-facing Drupal servers.
Enterprise Times: What does this mean
Anything that improves the quality of software is to be welcomed. This latest announcement by Reda is a continuation of the Free and Open Source Software Audit (FOSSA) project that started in 2015. Adding bug bounties to FOSSA is a good step but the size of the overall pot is too small. The majority of security researchers will focus their attention on other bug bounty programmes where the rewards are greater.