14 open source projects get EU funding for bug bounty payments

by Mark Tyson on 31 December 2018, 14:41

Tags: European Commission

Quick Link: HEXUS.net/qad2zt

Add to My Vault: x

Starting from the New Year, the European Union has decided to fund bug bounty programmes for a plethora of important open source projects. There are 14 projects covered by this initiative, starting from January 2019. The EU reckons its funding will shore up the integrity and reliability of the internet and other infrastructure, benefitting organisations and intuitions not just in Europe, but worldwide.

This is the third time the EU has approved bug bounty funding as part of the Free and Open Source Software Audit (FOSSA) project. Back in 2015 it approved funding of research into vulnerabilities in the OpenSSL library, highly important to encrypted internet traffic. Furthermore, web server Apache and password manager KeePass received security audits.

In 2017 FOSSA2 included funding to help quash bugs in the VLC Media Player app. The project extension included a series of Hackathons with meetings and collaborations between free software developers.

Now, in its third edition, FOSSA has budgets for 14 bug bounty programmes as in the table below:

Software Project

Bug Bounty Amount (Euro)

Start Date

End Date

Bug Bounty Platform

Filezilla

58.000,00 €

07/01/2019

15/08/2019

HackerOne

Apache Kafka

58.000,00 €

07/01/2019

15/08/2019

HackerOne

Notepad++

71.000,00 €

07/01/2019

15/08/2019

HackerOne

PuTTY

90.000,00 €

07/01/2019

15/12/2019

HackerOne

VLC Media Player

58.000,00 €

07/01/2019

15/08/2019

HackerOne

FLUX TL

34.000,00 €

15/01/2019

15/10/2019

Intigriti/Deloitte

KeePass

71.000,00 €

15/01/2019

31/07/2019

Intigriti/Deloitte

7-zip

58.000,00 €

30/01/2019

15/04/2020

Intigriti/Deloitte

Digital Signature Services (DSS)

25.000,00 €

30/01/2019

15/10/2019

Intigriti/Deloitte

Drupal

89.000,00 €

30/01/2019

15/10/2020

Intigriti/Deloitte

GNU C Library (glibc)

45.000,00 €

30/01/2019

15/12/2019

Intigriti/Deloitte

PHP Symfony

39.000,00 €

30/01/2019

15/10/2019

Intigriti/Deloitte

Apache Tomcat

39.000,00 €

30/01/2019

15/10/2019

Intigriti/Deloitte

WSO2

58.000,00 €

30/01/2019

15/04/2020

Intigriti/Deloitte

midPoint

58.000,00 €

01/03/2019

15/08/2019

HackerOne

 

As pointed out by Julia Reda's blog on the latest FOSSA funding, the bounties paid will vary according to the severity of the issue uncovered and the relative importance of the software. Thus, the best bounties could come from bug hunting in PuTTY and Drupal it seems. Of course bug hunters will likely look in areas that best fit their skills rather than purely in line with potential reward.

ZDNet says that to qualify for a reward, security researchers must get their bug report approved and the software project patched in a subsequent release. That reminds us - finding the bugs could be less than half the job - open source developers need the resources to find solutions to any errors found, in order to patch them.

7-Zip updated

In related open source news, the popular free file archiver 7-Zip has just been updated. You can find the home page with release notes and download links here.



HEXUS Forums :: 2 Comments

Login with Forum Account

Don't have an account? Register today!
The official page of PuTTY is actually: https://www.chiark.greenend.org.uk/~sgtatham/putty/

Oversall, some interesting inclusions that will hopefully benefit in a big way.
A great new. I am using few from the list daily, knowing it will be more secure is nice.