Starting this month the European Commission (EC) will kick off a series of bug bounties aimed at finding and patching security bugs in open source software (OSS).
Each of the bug bounties, which offer prize pools of between €25,000 and €90,000 (AUD$40,518 and AUD$145,868), target open source programs that are widely used within the EC.
The EC selected software it would fund bug bounties for based on previous inventories of software usage within the EC and a public survey about what projects should be supported.
Open source projects that will get EC-incentivised attention in coming months include Filezilla FTP software, the KeyPass password manager, Drupal CMS software, and the Apache Software Foundation’s implementation of Java technologies, Apache Tomcat.
The bug bounties are part of the EC’s Free and Open Source Software Audit (FOSSA) project that was kicked off in response to the 2014 discovery of the Heartbleed bug that affected the OpenSSL cryptography library.
OpenSSL is an implementation of the Transport Layer Security (TLS) protocol that’s widely used in Linux distributions like Ubuntu and Debian for encrypting payment data and email on the web.
Other software that have been allocated European bug bounty funding include Apache Kafka, Notepad++, PuTTY, VLC Media Player, FLUX TL, 7-zip, Digital Signature Service, glibc, PHP Symfony, WSO2, and midPoint.
The EC’s software inventory discovered that about 18 percent of its 46,000 software items were open source software. It also found around 3 million instances of open source software out of 19 million total instances of software.
The top 10 apps included Firefox, Infor-ZIP, VLC, Calibre, 7-Zip, FileZilla FTP Client, Greenshot OCR, KeePass, WinDirStat and GIMP. The top development platform was Notepad++, while the top library were Firefox utilities such s plugin-container and plugin-hang-ui.
The first phase of FOSSA that commenced in 2015 focussed on an inventory of free software the EC relies on and how software developers handle security in their projects.
The second phase, dubbed FOSSA 2, extended the project for three more years and ran a few bug bounties as a trial run for future bounties. Those were aimed at bugs in Apache and KeePass.
The bug bounties will be run on third bug bounty platforms HackerOne, a US firm, and Intigriti, a Belgium firm.