Last updated: January 16, 2019

Current event

January 2019: Bug bounties have started!

1st phase: the FOSSA pilot project

In 2014, I started the Free and Open Source Software Audit (FOSSA) project to help improve the overall security of the Internet, after severe vulnerabilities were discovered in key infrastructure components like OpenSSL.

The “pilot project” phase ran over two years from 2015-2016. Part of it was to create an inventory of the Free and Open Source Software used at the European Commission and the European Parliament. (After concerns over possible security implications delayed the publication, the Commission published the full inventory (see “WP4: Full inventory”) in October 2018.)

The main measure of the pilot phase however, was the security audit of Apache and KeePass.Security Audit for Apache and KeePass

Security audit for our common infrastructure

The Internet is built on Free and Open Source Software. It is part of our every day lives. Therefore the European Commission and public administrations in general have a responsibility to ensure its stability, reliability and security – by investing in it.

2nd phase: the FOSSA preparatory action

In 2017, FOSSA was renewed for an additional 3 years. With the introduction of bug bounties as a part of FOSSA 2, I want the EU to reach out more directly to developers, security researchers, and hackers.

FOSSA is managed and executed by the European Commission.

FOSSA bug bounty

A Bug Bounty is a prize for people who actively search for security issues. Usually, the amount depends on the budget of the software or hardware scrutinized, and the severity of the issue uncovered.

VLC Media Player LogoIn November 2017, the Commission announced to run the first bug bounty of FOSSA 2 on VLC Media Player as a proof of concept. According to the Commission, this allowed them to acquire experience in running bug bounties that can then be used for the main project.
You can read an interview with the managing team on the bug bounty platform HackerOne’s web site.

Companies could apply to run the bug bounties in a public Call for Tenders that was launched in April 2018. In October 2018, three companies were announced as bug bounty providers. The main bug bounties are expected to start by the end of the year.

In December 2018, the list of projects that will receive a bug bounty were announced. The first out a total of 15 bounties were made public in January 2019.

Outreach: FOSSA hackathons

One of the main outcomes of the first FOSSA year was the idea that audits alone aren’t sufficient to increase security. Instead, we must approach security already in software development. To that end, we want to invite projects to Brussels to spend time together to work on security-relevant issues in their software, and to learn more about secure software development.

After the bug bounties, and hopefully lots of bugs have been found, the Commission will run several hackathons where developers from both the projects and the European Institutions that rely on their software, can come together.

The Commission will also continue to reach out to the Free Software community at conferences and events.

Free Software security should be a permanent EU budget item

I think that the security of Free Software is in our common interest. Not only do people rely on Free Software for their daily use, they also rely on it because it is the foundation of the Internet infrastructure. Consequently, the European Institutions, governments and administration throughout Europe and beyond rely on its security.

That is why the goal with the FOSSA project is to establish Free Software Security as a permanent item in the EU budget.

To the extent possible under law, the creator has waived all copyright and related or neighboring rights to this work.

Comments closed.