EU-FOSSA 2 Open Source Bug Bounty Programme Series | Q&A
Following the success of the European Commission’s pilot bug bounty programme with HackerOne last year, they are announcing the launch of a new bug bounty initiative involving open source software on a much larger scale. This bug bounty programme run by the EU-Free and Open Source Software Auditing (EU-FOSSA 2) project, aims to help EU institutions better protect their critical software. EU-FOSSA was created in the aftermath of the Heartbleed incident, which highlighted the presence of vulnerabilities in software widely used across the Commission.
Their bug bounty programme will initially focus on a variety of popular open source software used at the Commission. We recently chatted separately with Marek Przybyszewski and Saranjit Arora who are leading the EU-FOSSA 2 project. Marek works for the Open Source Strategy of the Directorate General for IT (DIGIT), which is essentially the IT department of the European Commission. Together with Saranjit he also manages the EU-FOSSA 2 preparatory action, which includes the bug bounty programme with HackerOne. Below is a glimpse into the conversation.
Q: This is the second time the European Commission is launching a bug bounty programme to support open source projects. Why? What is the purpose of the initiative?
MP & SA: The initial EU-FOSSA project was a pioneering and successful effort, with the European Commission actively looking to improve the security of FOSS it used. EU-FOSSA 2 aims to go further and explore additional avenues to secure the FOSS European institutions use. In particular, EU-FOSSA 2 will:
- Extend the scope to additional European institutions;
- Use Bug Bounties as the primary method for finding vulnerabilities;
- Deepen engagement with the FOSS developer community and the EU public audience through events and enhanced communication.
Q: The project funding this bug bounty programme, EU-FOSSA, is totally focused on, as the name says, free and open source software. Why is there a preference for “free and open source” software?
MP & SA: The EU-FOSSA initiative was created in the aftermath of Heartbleed, which demonstrated vulnerabilities in open source software which formed the central elements of the global web infrastructure; and is focused solely on FOSS by design. Security issues put everyone at risk, including the European institutions. As an enthusiastic user of Free and Open Source Software, the EU has a responsibility to ensure the FOSS it uses is safe. This way, we not only protect ourselves, but also add value to the open source community and to the general public, who increasingly use open source software on their devices.
Q: What open source projects were selected in this round? Why were they selected?
MP & SA: In this round, the EU-FOSSA 2 project has selected the following software: Filezilla, Apache Kafka, Notepad++, PuTTY, VLC Media Player, FLUX TL, KeePass, 7-zip, Digital Signature Services, Drupal, GNU C Library, PHP Symfony, Apache Tomcat, WSO2 and MidPoint.
The selection method included studying the inventory of the most commonly used OSS ranked by criticality, and also taking into account software used by multiple European institutions and suggestions from the EU public. Software that was already receiving support from other initiatives was excluded, and ultimately, these 15 open source software projects were deemed as the most relevant and will be the target of bug bounty programmes.
Q: What kinds of vulnerabilities is EU-FOSSA 2 most interested in uncovering through the programme? Will findings be made public?
MP & SA: In each bug bounty, there is close cooperation with its software development community, who actually defines the scope of testing. In all cases, the target is security vulnerabilities. Each vulnerability found will be examined and then classified, and the developer remunerated accordingly. Vulnerabilities will be disclosed publicly. However, we aim to follow the industry standard practice of disclosing vulnerabilities publicly, only after they have been patched.
Q: How is EU-FOSSA 2 supporting the developers responsible for fixing the vulnerabilities found throughout the programme?
MP & SA: The EU-FOSSA 2 project is helping developers to fix vulnerabilities in a number of ways. For example, by offering a 20% bonus prize money to the developer who finds the vulnerability. This is a great incentive for the hackers to contribute a solution, which will help the communities to address the vulnerabilities that are discovered. Other ways include arranging bug-fixing Hackathons. The European Commission will be hosting three Hackathons in 2019, which aim to bring together in Brussels, geographically distributed open source software communities to interact with each other and with developers working within the EU institutions.
Q: Any advice for hackers? Encouraging words for participation?
MP & SA: The European institutions are highly committed to not only using open source but also making sure it is safe. For hackers, this is an opportunity to play a role in this pioneering European initiative and help open source become safer, and at the same time earn some cash rewards. We would like to thank in advance to all those who dedicate their time and efforts to this programme, your contribution will surely have an impact on many users.
To learn more about the EU-FOSSA 2 programmes, visit their programme pages: