‘We appreciate the opportunity to be part of this program,’ says FTP application founder

A European Union (EU) supported bug bounty program has helped FileZilla fix numerous security issues, founders of the open source software application announced this week.

The batch of bugs included one that caused filenames to be interpreted as commands within versions of the FTP client, an issue that was fixed within 24 hours, according to FileZilla founder Tim Kosse.

A second patched security issue was threatening the application’s memory security if a “custom external LIP address resolver sent invalid chunk sizes”, Kosse explained, resulting in the FileZilla application crashing if enabled by default.

Another bug caused FileZilla to crash when a sever sent large files via its directory listings.

Seven flaws, all now amended, were reported in detail by FileZilla in its latest update to the application’s participation in the open source bug bounty scheme, administered by the EU.

Not all issues carried a security impact, Kosse added.

“We are proud to have participated in the bug bounty program,” he said in a press statement published on Monday.

“Security is paramount for FileZilla; even the smallest anomalies get fixed promptly. We will continue our vigilance to provide excellent security as we continue to expand our products and services.”

The Free and Open Source Software Audit (EU-FOSSA) project was created in 2014 to help improve the security and accessibility of crucial internet technologies such as OpenSSL.

In January, the European Commission began funding 15 bug bounty programs for open source software projects, determined by an EU-led inventory and a public vote on which projects are the most accessed by users across the web.

Based in Germany, FileZilla was the most recent open source platform to join the EU-FOSSA initiative in July of this year, operating with a total bounty budget of €58,000 ($65,000) hosted through HackerOne. $6,313 has been given out so far, FileZilla told The Daily Swig

Its contract with the scheme is due to end on August 15, although FileZilla said it would continue to maintain a bug bounty program, based on the successes with the EU-FOSSA program.

While Kosse told The Daily Swig it was “too early to go into specifics” regarding the next stage of its bug bounty program, FileZilla’s director of strategy, Roberto Galoppini, said this would be funded through revenues from FileZilla Pro.

Kosse added: “Participation in the program reflects the high priority FileZilla has always placed on security for its users.”

The EU-FOSSA bug bounty project is due to end in 2020, according to the contracts listed for each software project.


RELATED VLC patches critical flaws through EU open source bug bounty program