EU-funded vulnerability disclosure platform paid out more than $220k over 18 months

The EU program has been well received

The EU’s EU-FOSSA 2 bug bounty project has come to an end, with the team behind it claiming it has met its objective.

Set up in the aftermath of the 2014 Heartbleed bug, which caused over €500 million ($564 million) worth of damage worldwide, the project aimed to improve the security of critical open source software used by European institutions and the general public.

This involved setting up bug bounty programs, organising hackathons and conferences, and engaging with developer communities.

“I would be really glad to be part of any future project at least half as successful as this one,” commented Member of European Parliament (MEP) and vice president Marcel Kolaja at the final meeting of the project steering committee.

Trials and triumphs

Hundreds of vulnerability reports have been submitted since the EU-FOSSA 2 bug bounty scheme kicked off in January 2019.

More than 200 bugs were identified, of which 70 were critical or high severity, and more than €200,000 ($227,000) was paid out in rewards. One vulnerability in PuTTY, says the team, had lain undiscovered for over 20 years.

File access and transfer software FileZilla was one organization to take advantage of the program, and invested funds to help keep it going.

“The bounty program has been very useful. It identified weaknesses in handling the local user input or the user's environment,” Tim Kosse, FileZilla project lead developer, tells The Daily Swig.

“At the same time, it showcased the robustness of the way we verify data coming over the network.”

Meanwhile, three hackathons were held. The first, for PHP framework Symfony, addressed or resolved more than 230 issues; a second brought together software developers from six Apache projects.

In the third event, almost 100 developers from around the world co-created eight different open source projects.

Read more of the latest bug bounty news

Other activities included creating new inventories of open source software for the Commission and the European Council and a worldwide study on the trends and usage of open source software in public administrations, as well as a study to establish licencing and IT support requirements for future open source projects.

“Thanks to EU-FOSSA and EU-FOSSA 2 we were able to identify hundreds of vulnerabilities, and it was much more efficient for the open source software community, rather than having individuals dealing with those alone,” says MEP Andrus Ansip.

EU-FOSSA 2 received widespread support – not least from Julia Reda, German researcher and politician and former MEP.

“FOSSA-2 was a remarkably successful project for the EU,” she tells The Daily Swig.

“Not only did it help fix critical vulnerabilities in software that we rely on on a daily basis, it also drastically improved the image of the European Commission with the hacking and IT security community, which is often quite critical of EU legislation.”

RELATED EU calls for ceasefire on cyber-attacks exploiting coronavirus pandemic

Although EU-FOSSA 2 has come to an end, says the team, there are hopes that some of its work will continue, possibly under the auspices of the ISA2 program, which works on interoperability solutions for European public administrations.

“It is imperative that the EU continues investing in the security of open source software beyond the end of FOSSA 2,” says Reda.

“Recent news that the US government plans to de-fund the Open Technology Fund has highlighted how a small public contribution to open source projects such as Signal or Tor can support the security of investigative journalists and activists standing up to oppressive regimes worldwide.

“If the US is no longer willing to play that role, the EU should view this as a leadership opportunity to step up and create its own equivalent of the Open Technology Fund.”

READ MORE DARPA launches hardware security bug bounty program