For the FOSSA pilot project to improve the security of open source software that my colleague Max and I proposed, the European Commission sought your input on which tools to audit.

The results are now in: The two overwhelming public favorites were KeePass (23%) and the Apache HTTP Server (19%). The EU has decided to follow these recommendations and audit both of these software projects for potential security issues.

Results of the vote

[visualizer id=”5663″] By following the results of the public vote, the EU will contribute to the security of both a popular security app for consumers and infrastructure that powers a large part of the World Wide Web:

fossa-keepass KeePass is a password manager, an app that makes it easy to use different secure, complex passwords for all of your logins rather than reusing one memorisable password everywhere, which leaves you vulnerable if any one of the services you’ve signed up for is hacked. Versions of KeePass are available for a wide range of operating systems, including for your phone.

fossa-apacheThe Apache HTTP Server is used in the background to power about half the websites you visit[1]. It is also used widely in the EU institutions.

Almost 3300 votes were received in the survey. Runners-up with considerable support included the VLC media player and Linux operating system components. Using the write-in option, voters suggested many other pieces of security-critical software, most notably commonly used code libraries for the C/C++ programming languages and the SSL cryptographic protocol, as well as the VeraCrypt file/disk encryption tool.

Thank you for your feedback, which provided valuable input for future audits and proved to the EU that there is an interest from the open source community and from users in working together with democratic institutions to make software more safe. I’d also like to thank members of the open source community for expressing some valid concerns about how the Commission and its contractors are conducting the project so far. The responsible people inside the Commission are aware of these criticisms and are paying attention.

What’s next

Until October, the consultancy Everis will now establish contact with the teams behind KeePass and Apache and run automated tests as well as conduct manual audits on the code. Any vulnerabilities found will then be communicated directly to the projects.

Our application to extend this project by another two to three years has received an excellent rating in the Commission’s preliminary assessment. If approved, I hope we can build on the experiences gained so far and improve the process to include the community even more.

Contributing to the security of open source software widely used both inside and outside of the EU institutions should become a permanent part of the EU budget. Tweet this!

To the extent possible under law, the creator has waived all copyright and related or neighboring rights to this work.


  1. 1

    This is great. I use Keepass every day, all the time on almost every device I have. It is a must have for IT experts, but also every smart phone and PC user could benefit from it.

  2. 2
    Jared Ratliff

    Thank you for your hard work in this uphill battle!

  3. 3

    KeePass is using Microsoft .NET, it’s not entirely a free software and so, it is not really secure (who can prove there is no backdoor in .NET ?).
    Should use instead.