EU to fund bug bounties for open source projects including PuTTY, Notepad++, KeePass,...

[mongeese]

Why it matters: The internet largely relies on open source projects to survive, but these are often developed by hardworking and charitable developers rather than well-paid employees. An unfortunate consequence of this is that developers simply don’t get the time and resources they require to hunt down the vulnerabilities that are so pervasive in complex code.

The European Union has recognized this problem, and as part of their Free and Open Source Software Audit (FOSSA) they’ve set up a bug bounty for 15 applications. The bounty ranges from $30,000 to $100,000 depending on the software in question, and of course, on the seriousness of the vulnerability discovered.

In order of most well-paying to least, the software list includes: PuTTY, Drupal, Notepad++, KeePass, Filezilla, Apache Kafka, VLC Media Player, 7-zip, WSO2, midpoint, GNU C Library, PHP Symfony, Apache Tomcat, and Flux TL.

FOSSA, and the introduction of these bug bounties, comes via EU Member of Parliament Julia Reda. According to her blog post on the bounties, FOSSA launched as a direct result of vulnerabilities found in the open source library OpenSSL in 2014.

The issue made lots of people realize how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure. Like many other organisations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things.

But the Internet is not only crucial to our economy and our administration. It is the infrastructure that runs our everyday lives. It is the means we use to retrieve information and to be politically active. That is why my colleague Max Andersson and I started the Free and Open Source Software Audit project: FOSSA.

FOSSA launched phase one in 2015, where it conducted a public survey about what to audit. The results were Apache HTTP web servers and password manager KeePass, and they audited them both with a $1.15 million budget in 2016. Phase two launched last year, where they ran a bug bounty program on HackerOne for the VLC Media Player app.

Phase three was in planning this year and will officially kick off throughout January next year, as each of these bug bounties go live on Intigriti and HackerOne.

Permalink to story.

https://www.techspot.com/news/78051-eu-fund-bug-bounties-open-source-projects-including.html

 

[Adorerai]

Is there a potential for this to be abused by developers, maybe introduce clever bugs?

 

[FF222]

By restricting the bug bounty to open source software only, this program totally misses the point. Now, subsidizing open source software might be a valid executive decision (even though it flies totally in the face of basic economics), but that obviously shouldn't be done through a bug bounty program. Because the latter's primary purpose is to enhance security by incentivizing finding and reporting bugs, which, however, are things that do not depend on the source for the software being publicly available, let alone on it distributable and modifiable (what OSS is really about). Also, most of these software (with probably the exception of VLC) own negligible user base in their respective markets, so, most EU citizens won't profit from these incentives and payouts. The same money would be better spent if it would be spent on (or at least extend to) finding bugs is commercial software with higher market penetration and larger user base.

 

[Plutoisaplanet]

Unfortunately at least for PuTTY, the problem isn’t finding/reporting bugs but fixing them. There’s like one guy working on it, Simon Tatham. This is evident given the last stable version released (over a year ago).

In some cases, this money would be put to far better use funding the projects, especially because many of these developers don’t receive real income from these projects and are actually volunteering their time. Their livelihoods are their day jobs, not these open source projects.

This isn’t true for all of these projects though, especially for VLC (VideoLAN).

 

[Uncle Al]

I would have to say that any assistance has to be good assistance. Ultimately it's up to the developer to add these "bug fixes" and hopefully they are skilled enough to be able to identify any malicious code but the old saying for most code writers is "when in doubt, leave it out" ...... OK, OK, OK .... yes, I did just make that up but it still sounds like sage advice and back in the day when I was writing COBAL it was something we did live by. Now lets see how many ask what's COBAL ..... LOL

 

[xxLCxx]

the old saying for most code writers is "when in doubt, leave it out" ...... OK, OK, OK .... yes, I did just make that up but it still sounds like sage advice and back in the day when I was writing COBAL it was something we did live by. Now lets see how many ask what's COBAL ..... LOL

Whats COBAL

That's what it was called back then, when those programmers still had hair. ;-)

 

[iamdanvillareal]

How can we report bugs?

 

[xxLCxx]

How can we report bugs?

Here:
https://juliareda.eu/2018/12/eu-fossa-bug-bounties#bugbounty

 

[DelJo63]

... old saying for most code writers is "when in doubt, leave it out" ...... OK, OK, OK .... yes, I did just make that up but...

Clearly unknown in Washington D.C., but truth is still truth. Worked in my day, your day and will still work tomorrow. IMO, fundamentals will take you further than the "neat trick of the day" every time.

 

[James00007]

"institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things."

Brexit!