In an effort to put their money where their software is, the European Commission has announced that they will dedicate some €850,000 towards paying for bugs discovered in 14 different commonly used open source projects including Apache Tomcat and Kafka, FileZilla, and Drupal.
The initiative, as described by the German Pirate Party rep Julia Reda, is a continuation of the Free and Open Source Software Audit (FOSSA) program. FOSSA came about in response to the 2014 Heartbleed vulnerability discovery which uncovered critical vulnerabilities in OpenSSL.
Heartbleed was a wake-up call for the industry to how dependent software applications are on open source components. Even as some projects like Kafka and Tomcat have the Apache Foundation standing behind them, backed by giants including Google, Facebook, and Microsoft to name a few, most are simply labors of love by dedicated individual developers.
Doubling down on open source security vulnerabilities
Given the criticality of open source projects in major software products, many are beginning to understand that free software may not be quite as free as they previously thought.
When we purchase software from a commercial vendor, we expect them to do the work of keeping it in good working order, fixing vulnerabilities that may come up along the way and issuing patches and version updates. This is not the case in many open source projects, where maintainers work on the project in their spare time.
As they are not meant to be commercial enterprises, they are not staffed to respond to issue updates at the same rate as, say, Microsoft’s Windows. This is not to detract from the quality of their work, which is often well proven and tested by members of the community and the many users of a component, but simply to state that we need to think about them differently from commercial offerings.
While efforts from Linux’s much vaunted CII, which provides grants to support projects that they view as critical (Debian, OpenSSH, and others), it is helping to bring important funding to the table, there has been some surprising pushback to the bug bounty being promoted by Julia Reda and her team.
No good deed goes unpunished
Given the Wild West atmosphere that is inherent in open source vulnerability space, one would think that the EU’s putting money down to help uncover security flaws might be applauded. Given the reaction in recent days, this has clearly not been the case.
The thrust of the argument is that, while bug bounties can be a good thing to run, the real issue lies in supporting the project maintainers, providing them with the necessary funding and incentives to squash the bugs and write the fixes for vulnerabilities.
Katie Moussouris, CEO of Luta Security, a company that helps organizations set up their own vulnerability disclosure programs, came out against the European Commission’s move disagreeing “that it's a good thing on its own.”
Reda and others, including Josh Bressers, have responded to the announcement, noting that for a variety of technical and practical reasons such as the difficulty in verifying that payments are going to the right maintainers and overcoming bureaucratic payment issues, the EU would be hard pressed to send financial support to the maintainers of the projects.
Therefore, they argue that the bug bounty should be viewed as both the most pragmatic step that they can take, as well as hopefully the first of many actions taken to improve security for these popular open source projects.
Bug bounty alternatives
In the time that it will take large bodies like the EU to figure out how to handle the red tape, there are existing options for open source project users to support the maintainers and keep receiving the high quality and secure components that they depend on.
Tidelift is a startup that has raised $40 million with their Series A and B rounds over the past year to act as brokers for connecting organizations with the project maintainers, channeling the funds to help incentivize the upkeep of important projects.
The brass tacs of open source security
However, for organizations that develop software and want to keep their products secure, this brouhaha over bug bounties and project takeovers may feel beside the point. The open source community is already doing an outstanding job of finding vulnerabilities in open source projects and reporting them.
Furthermore, despite the concerns that maintainers may end up being overloaded with work, our research shows that upwards of 97% of vulnerabilities have a fix available.
While bug bounties may be the sexier side of vulnerability management, it only makes up a small percentage of the overall risk to open source components. Attackers know that they have increased odds of success by simply using the known vulnerabilities and finding a target who has been too slow implementing the fix.
We need to see organizations adopting technologies that help them manage their open source usage, embracing automation to give them the capacity to deal with the scale of their development.
No matter how you fall on the bug bounty debate, my sense is still that all parties are basically in agreement but differ on what they are prepared to settle on. That said, I’m thankful to see more attention being paid to the fact that open source is a central part in how we build applications.
As such, we should take a keen interest in finding ways to work with it smarter and more securely, and encourage others to join us in this effort as a community — even if we sometimes disagree on the best way forward.