Security researchers have welcomed a European Union-funded scheme to offer bug bounties on free and open source software projects that begins its roll-out this month.
The bounty scheme is an extension of the Free and Open Source Software Audit (FOSSA) project, and will reward ethical hackers who uncover flaws in key components of internet technologies such as Drupal and Apache Tomcat as well as consumer utilities such as the VLC Media Player.
Maximum payouts will range between €25k and €90k under a total of 15 programs, administered by either HackerOne or Intigriti/Deloitte, funded in large part by the EU.
The candidate software packages were carefully selected, according to a blog post by EU parliamentarian Julia Reda, who explains that payouts will be dependant on the severity of uncovered bugs:
In January the European Commission is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on. A bug bounty is a prize for people who actively search for security issues. The amount of the bounty depends on the severity of the issue uncovered and the relative importance of the software. The software projects chosen were previously identified as candidates in the inventories and a public survey.
Reaction to the scheme from the tech community has been positive.
Mikko Hyponnen, chief research officer at F-Secure, described the scheme as a “great, practical move that will make a difference”.
Michael Goodman, an enterprise IT Operations and security expert, added: “The US government should get behind this as well. Open source software is pervasive, and too often easily manipulated by malicious actors. We need to protect it.”
Swedish information architect Alexandra Larsson said: “Great move - [it’s] important to understand that even open source requires investment in time and/or money from someone.”
Technology educator Matt Bury said in a post on Twitter: “The EU already has a FOSS-first directive. This will make FOSS [Free and Open Source Software] options more compelling.”
The FOSSA project began in 2014 in response to the discovery of flaws in the open source encryption library, OpenSSL, a technology widely used in business but underpinned by the efforts of just a few open source developers. This scenario is far from uncommon.
PortSwigger Web Security researcher Paul Johnston commented: “Many open source projects have become business critical but they sometimes lack attention to non-functional requirements like security. Bug bounty programs have been shown to be highly effective. Putting the two together is a win.”