The European Commission is expanding its bug bounty program to include open source software on a larger scale. The EU-Free and Open Source Software Auditing (EU-FOSSA 2) project aims to enhance the security of critical software used by EU institutions. This initiative comes in the wake of the Heartbleed incident, which exposed vulnerabilities in widely used software within the Commission.
The bug bounty program will initially focus on popular open source software utilized by the Commission. Marek Przybyszewski and Saranjit Arora, key figures leading the EU-FOSSA 2 project, shared insights into the project and its objectives. Marek, from the Open Source Strategy of the Directorate General for IT (DIGIT), and Saranjit manage the bug bounty program in collaboration with HackerOne.
When asked about the purpose of launching a bug bounty program for open source projects for the second time, Marek and Saranjit highlighted the success of the initial EU-FOSSA project and the Commission’s commitment to enhancing the security of FOSS. EU-FOSSA 2 aims to extend its scope to additional European institutions, utilize bug bounties as the primary method for finding vulnerabilities, and engage more with the FOSS developer community and the general public through events and enhanced communication.
The EU-FOSSA initiative exclusively focuses on free and open source software due to the vulnerabilities exposed by Heartbleed in crucial elements of the global web infrastructure. By safeguarding the FOSS used by European institutions, the EU not only protects itself but also contributes value to the open source community and the general public.
In the current round of the bug bounty program, EU-FOSSA 2 has selected 15 open source software projects, including Filezilla, Apache Kafka, Notepad++, PuTTY, VLC Media Player, and others. The selection process involved assessing the criticality and usage of the software by European institutions, as well as recommendations from the public. The goal is to target software that is most relevant for bug bounty programs.
The program aims to uncover security vulnerabilities through bug bounties, with findings being publicly disclosed after patches are implemented. Developers responsible for fixing the vulnerabilities will receive support from the EU-FOSSA 2 project, including bonus prizes for successful fixes and bug-fixing Hackathons to promote collaboration and solutions.
For hackers interested in participating, the EU-FOSSA 2 program offers a chance to contribute to the safety of open source software and earn rewards. The European institutions are dedicated to ensuring the security of FOSS and encourage hackers to be part of this pioneering initiative.
To learn more about the EU-FOSSA 2 programs, visit their program pages. HackerOne, the leading hacker-powered security platform, supports organizations in identifying and addressing critical vulnerabilities to prevent exploitation. Their bug bounty program solutions offer vulnerability assessment, crowdsourced testing, and responsible disclosure management. For more information on security testing solutions, visit HackerOne’s website or contact them directly.