The European Commission’s First-Ever Bug Bounty Program
The European Commission has selected HackerOne as the platform for their first ever bug bounty program. This not only expands the number of government agencies that have selected HackerOne, it is our first project with the European Union’s executive arm.
This bug bounty program was made possible based on the framework created by the EU-Free and Open Source Software Auditing (EU-FOSSA) project, which aims to help EU institutions better protect their critical software. EU-FOSSA was created in the aftermath of the Heartbleed incident, which highlighted the presence of vulnerabilities in software widely used across the Commission.
Their bug bounty program will initially focus on VLC, a popular open source multimedia player loaded on every workstation at the Commission. It begins with a three-week, invitation-only session, after which it will be open to the public.
We recently chatted separately with the EU-FOSSA team running the VLC bug bounty project as well as the originator of the EU-FOSSA program.
Marek Przybyszewski and Pierre Damas work for the Open Source Strategy of the Directorate General for IT (DIGIT), which is essentially the IT department of the European Commission. The duo also manages the EU-FOSSA preparatory action, which includes the VLC bug bounty program with HackerOne. In this conversation, Marek and Pierre talk about the VLC bounty program specifically.
Running VLC’s Bug Bounty Program with HackerOne
Q: DIGIT is charged with providing secure IT infrastructure, among other things. Can you share some of your perspective on why the security of open source software is so important to your organization?
Marek Przybyszewski and Pierre Damas (MP & PD): The European Commission's IT Directorate General has been introducing Free and Open Source Software in its IT stack since at least the year 2000, when the first version of the Open Source Software Strategy was created. The use of Free and Open Source Software is increasing and became strategic in several areas: Linux is used at 80% of the servers of the Commission's Data Centre and the Europa website is running on Drupal, to name a few.
Q: You just launched the initial bug bounty program publicly, can you share a little bit about the scope and your approach?
MP & PD: The first EU-FOSSA pilot was made with traditional code reviews and succeeded in analysing KeyPass and Apache. No major vulnerabilities were found. We thought that, in an open spirit, we should involve researchers from all communities. We never organised a bug bounty before, so we started with a limited scope of a limited duration on one selected software that is deployed on our workstations: VLC.
Q: What led the Commission to specifically select a bug bounty program as a means for improving software security?
MP & PD: After the EU-FOSSA pilot, it was clear to the European Parliament Members involved and our team that we wanted to involve more researchers. Additionally, Marietje Schaake, Member of the ALDE group in the European Parliament had proposed a similar project to organise bug bounties on the running infrastructure of the EU institutions. We suggested we join her efforts with those proposed for the continuation of the EU-FOSSA project. With this current bug bounty contract, we aim to improve our own security while assessing the method and contributing to Open Source security in general.
Q: The project funding this bug bounty program, EU-FOSSA, is totally focused on, as the name says, free and open source software. Why is there a preference for “free and open source” software? Does DIGIT prefer open source software to packaged/paid software?
MP & PD: EU-FOSSA was created in the aftermath of Heartbleed, which demonstrated vulnerabilities in central elements of the global IT infrastructure. Security issues put everyone at risk, including the European Institutions. Where Free and Open Source Software makes up key components, we cannot only rely on commercial backing and sponsoring, but also need to take into account if a project has the capacity to take care of security itself. Through the FOSSA project, we are supporting Free and Open Source projects that make up a crucial element to the institutions and to modern economy and society at large.
Getting Parliamentary Support
We also spoke with Julia Reda, a Member of the European Parliament from Germany and a member of the European Parliament Committee on Internal Market & Consumer Protection (IMCO), and the Committee on Legal Affairs (JURI). Julia, the originator of the EU-FOSSA project, explained its background and intention.
Q: How did the EU-FOSSA program get started?
Julia Reda (JR): In 2014, after several vulnerabilities were found in critical and widely used Open Source components, with a colleague, Max Andersson, I suggested to create the Free and Open Source Software Audit (EU-FOSSA) project. The idea for the project came from the European Parliament and we secured the financing for it, but the practical implementation is in the hands of the European Commission.
Q: Why did you focus on Open Source software?
JR: It is important to understand that every day infrastructure we rely on for work, our private lives, and our fundamental freedoms — the Internet — depends on Open Source to work. Public institutions such as the EU have a responsibility to ensure the security and reliability of this infrastructure. That is why we are using a small part of the EU budget to finance security research into Open Source projects, improving security for both the European institutions themselves as well as for everyone using them.
Q: Why was VLC selected for the initial bug bounty program?
JR: VLC is a perfect example of a widely used piece of software that has an active community and a user base beyond the EU institutions.
Q: Will the EU-FOSSA project continue?
JR: One of the goals of the EU-FOSSA project is to establish a permanent item in the EU budget to improve the security and reliability of our common infrastructure, the Internet and its basis, Free/Libre and Open Source Software. The EU-FOSSA project aims to find out which approach works best. Bug bounties are a great way to involve the community more closely, so a successful pilot project could lead to more bug bounties in the future.
Q: Anything you’d like to share with the “bug hunters” in the VLC bug bounty program?
JR: Happy hacking!
To learn more about the European Commission’s very first bug bounty program, visit the VLC bug bounty program page on HackerOne.