1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

EU to fund bug bounties for open source projects including PuTTY, Notepad++, KeePass,...

By mongeese · 9 replies
Dec 30, 2018
Post New Reply
  1. The European Union has recognized this problem, and as part of their Free and Open Source Software Audit (FOSSA) they’ve set up a bug bounty for 15 applications. The bounty ranges from $30,000 to $100,000 depending on the software in question, and of course, on the seriousness of the vulnerability discovered.

    In order of most well-paying to least, the software list includes: PuTTY, Drupal, Notepad++, KeePass, Filezilla, Apache Kafka, VLC Media Player, 7-zip, WSO2, midpoint, GNU C Library, PHP Symfony, Apache Tomcat, and Flux TL.

    FOSSA, and the introduction of these bug bounties, comes via EU Member of Parliament Julia Reda. According to her blog post on the bounties, FOSSA launched as a direct result of vulnerabilities found in the open source library OpenSSL in 2014.

    The issue made lots of people realize how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure. Like many other organisations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things.

    But the Internet is not only crucial to our economy and our administration. It is the infrastructure that runs our everyday lives. It is the means we use to retrieve information and to be politically active. That is why my colleague Max Andersson and I started the Free and Open Source Software Audit project: FOSSA.

    FOSSA launched phase one in 2015, where it conducted a public survey about what to audit. The results were Apache HTTP web servers and password manager KeePass, and they audited them both with a $1.15 million budget in 2016. Phase two launched last year, where they ran a bug bounty program on HackerOne for the VLC Media Player app.

    Phase three was in planning this year and will officially kick off throughout January next year, as each of these bug bounties go live on Intigriti and HackerOne.

    Permalink to story.

  2. Adorerai

    Adorerai TS Enthusiast Posts: 53   +23

    Is there a potential for this to be abused by developers, maybe introduce clever bugs?
    Reehahs and Uncle Al like this.
  3. FF222

    FF222 TS Addict Posts: 186   +114

    By restricting the bug bounty to open source software only, this program totally misses the point. Now, subsidizing open source software might be a valid executive decision (even though it flies totally in the face of basic economics), but that obviously shouldn't be done through a bug bounty program. Because the latter's primary purpose is to enhance security by incentivizing finding and reporting bugs, which, however, are things that do not depend on the source for the software being publicly available, let alone on it distributable and modifiable (what OSS is really about). Also, most of these software (with probably the exception of VLC) own negligible user base in their respective markets, so, most EU citizens won't profit from these incentives and payouts. The same money would be better spent if it would be spent on (or at least extend to) finding bugs is commercial software with higher market penetration and larger user base.
    Last edited: Dec 30, 2018
  4. Plutoisaplanet

    Plutoisaplanet TS Booster Posts: 100   +77

    Unfortunately at least for PuTTY, the problem isn’t finding/reporting bugs but fixing them. There’s like one guy working on it, Simon Tatham. This is evident given the last stable version released (over a year ago).

    In some cases, this money would be put to far better use funding the projects, especially because many of these developers don’t receive real income from these projects and are actually volunteering their time. Their livelihoods are their day jobs, not these open source projects.

    This isn’t true for all of these projects though, especially for VLC (VideoLAN).
    Eldritch and Godel like this.
  5. Uncle Al

    Uncle Al TS Evangelist Posts: 5,503   +3,891

    I would have to say that any assistance has to be good assistance. Ultimately it's up to the developer to add these "bug fixes" and hopefully they are skilled enough to be able to identify any malicious code but the old saying for most code writers is "when in doubt, leave it out" ...... OK, OK, OK .... yes, I did just make that up but it still sounds like sage advice and back in the day when I was writing COBAL it was something we did live by. Now lets see how many ask what's COBAL ..... LOL
  6. xxLCxx

    xxLCxx TS Addict Posts: 231   +153

    That's what it was called back then, when those programmers still had hair. ;-)
    Uncle Al likes this.
  7. iamdanvillareal

    iamdanvillareal TS Rookie

    How can we report bugs?
  8. xxLCxx

    xxLCxx TS Addict Posts: 231   +153

  9. jobeard

    jobeard TS Ambassador Posts: 12,990   +1,553

    Clearly unknown in Washington D.C., but truth is still truth. Worked in my day, your day and will still work tomorrow. IMO, fundamentals will take you further than the "neat trick of the day" every time.
  10. James00007

    James00007 TS Booster Posts: 116   +14

    "institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things."


Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...