Working in partnership with HackerOne and Intigriti, the EU announced that the European Commission will launch a bug bounty program as part of the Free and Open Source Software Audit (FOSSA).
The third edition of FOSSA will include 15 software programs: 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, midPoint, Notepad++, PHP Symfony, PuTTY, VLC Media Player and WSO2, according to EU Parliament member Julia Reda.
Reda, who has written extensively about the security risks in Open SSL, launched the FOSSA project with her colleague Max Andersson in 2015, which is moving into phase three. The first 14 bug bounty projects will commence in January 2019, with the final project beginning in March.
While bug bounty programs call upon the hacker community to come together in search of vulnerabilities, applying the crowdsourced concept to open source presents unexpected challenges, according to Tim Mackey, senior technical evangelist at Black Duck by Synopsys.
“Since bug bounty programs favor the discovery of issues with an implicit assumption resources exist to resolve found issues, any security issue disclosed in public leaves users vulnerable until a fix is found.
“Once a fix is created, that fix needs to be delivered to users. This is by far the most significant hurdle for bug bounty–based efforts in FOSS. The core challenge being an assumption valid only with commercial software – [that] there is a single release stream to upgrade. As the FOSS community knows very well, branches of releases are very common, and it may be difficult to apply a fix from one branch to another.”
Though Mackey applauded the EU for creating the bug bounty program, he argued that funding developers and security professionals to work with the communities creating their target applications is also important.
“That way not only are issues being discovered, but the overall process can be improved while addressing any issues uncovered. It should be noted that the target projects represent a very small percentage of open source projects, and that while these are obviously critical projects for the EU, it would be worthwhile for the EU to investigate expanding this effort.”
In a December 28, 2018, tweet, Reda expressed the same sentiment. “That would indeed be better, but the @EU_Commission can’t just dish out money to developers who haven’t gone through an onerous public tender process that favours large consultancies that specialize in bidding for tenders rather than Drupal development.”
This project, however, is unique compared to other bug bounties, as bug hunters earn a bonus for remediating the vulnerability, by providing a valid fix, according to Laurie Mercer, security engineer, HackerOne. "For decades the European Commission has supported and encouraged the collaborative development and re-use of publicly-financed open source software.
"This new project, part of the EU-Free and Open Source Software Auditing (EU-FOSSA) project, is designed to improve the security of free software by offering bug bounties to anyone who can discover security vulnerabilities in commonly used packages. Under the terms of Responsible Disclosure, no bugs will be publicly disclosed until they have been patched. This is in line with existing projects run by open source communities like node.JS and Apache.”