Free and Open Source Software AuditingThe European Union (EU) has announced it is to support several open source bug bounty programmes. It is doing so in order to protect the open source software that the EU is becoming ever more reliant upon. The move was announced by Member of the European Parliant (MEP) Julia Reda who listed 15 projects. However, only 14 will receive funding although it is not clear which one will be left out.

The 15 projects, the size of the bug bounty and the bug bounty platform were detailed by Reda. The list is:

Software Project Bug Bounty Amount (Euro) Start Date End Date Bug Bounty Platform
Filezilla 58.000,00 € 07/01/2019 15/08/2019 HackerOne
Apache Kafka 58.000,00 € 07/01/2019 15/08/2019 HackerOne
Notepad++ 71.000,00 € 07/01/2019 15/08/2019 HackerOne
PuTTY 90.000,00 € 07/01/2019 15/12/2019 HackerOne
VLC Media Player 58.000,00 € 07/01/2019 15/08/2019 HackerOne
FLUX TL 34.000,00 € 15/01/2019 15/10/2019 Intigriti/Deloitte
KeePass 71.000,00 € 15/01/2019 31/07/2019 Intigriti/Deloitte
7-zip 58.000,00 € 30/01/2019 15/04/2020 Intigriti/Deloitte
Digital Signature Services (DSS) 25.000,00 € 30/01/2019 15/10/2019 Intigriti/Deloitte
Drupal 89.000,00 € 30/01/2019 15/10/2020 Intigriti/Deloitte
GNU C Library (glibc) 45.000,00 € 30/01/2019 15/12/2019 Intigriti/Deloitte
PHP Symfony 39.000,00 € 30/01/2019 15/10/2019 Intigriti/Deloitte
Apache Tomcat 39.000,00 € 30/01/2019 15/10/2019 Intigriti/Deloitte
WSO2 58.000,00 € 30/01/2019 15/04/2020 Intigriti/Deloitte
midPoint 58.000,00 € 01/03/2019 15/08/2019 HackerOne


In all, this amounts to over €851,000 (£762,500, US$972,100). While this might seem a large amount of money it is relatively small in terms of bug bounties. It will also have to be split over multiple bugs as they are reported making it difficult to know what each security researcher can expect to earn.

Bug bounties key to improving the underlying software

Julia Reda, MEP for @Piratenpartei and the European Pirate Party (PPEU) | Vice-Chair of @GreensEP group
Julia Reda, MEP for @Piratenpartei and the European Pirate Party (PPEU) | Vice-Chair of @GreensEP group

Advocates of open source say that it is more secure than commercial software due to the number of people looking at the source code. That sounds good but as we’ve seen in recent years, it is far from reality. That is because it relies on the willingness of an often very small group of people to validate the code from others. It also often assumes that older code has been checked and no longer needs to be looked at.

Bug bounties change that relationship. It provides a reason for people to check the code contributed by others. It also helps the community to create better mechanisms to ensure that it deals with security earlier in the software development cycle.

However, even when bugs are found and fixed, it does not make those using the software any more secure. That is because simply fixing the underlying code does not mean that users will update their version of the software. Without that step, bug fixes have very limited use. This is not just about individual instances of the software. As the EU and other organisations move further down the path of greater software integration, it only takes one unpatched project to cause problems for everyone.

Drupal is a good example of this. It was a target for several attacks last year that exploited known bugs. However, as of 27 December 2018, NTT Security reported it had found around 62,00 unpatched public-facing Drupal servers.

Enterprise Times: What does this mean

Anything that improves the quality of software is to be welcomed. This latest announcement by Reda is a continuation of the Free and Open Source Software Audit (FOSSA) project that started in 2015. Adding bug bounties to FOSSA is a good step but the size of the overall pot is too small. The majority of security researchers will focus their attention on other bug bounty programmes where the rewards are greater.



Please enter your comment!
Please enter your name here