Starting from the New Year, the European Union has decided to fund bug bounty programmes for a plethora of important open source projects. There are 14 projects covered by this initiative, starting from January 2019. The EU reckons its funding will shore up the integrity and reliability of the internet and other infrastructure, benefitting organisations and intuitions not just in Europe, but worldwide.
This is the third time the EU has approved bug bounty funding as part of the Free and Open Source Software Audit (FOSSA) project. Back in 2015 it approved funding of research into vulnerabilities in the OpenSSL library, highly important to encrypted internet traffic. Furthermore, web server Apache and password manager KeePass received security audits.
In 2017 FOSSA2 included funding to help quash bugs in the VLC Media Player app. The project extension included a series of Hackathons with meetings and collaborations between free software developers.
Now, in its third edition, FOSSA has budgets for 14 bug bounty programmes as in the table below:
Software Project |
Bug Bounty Amount (Euro) |
Start Date |
End Date |
Bug Bounty Platform |
58.000,00 € |
07/01/2019 |
15/08/2019 |
||
58.000,00 € |
07/01/2019 |
15/08/2019 |
||
71.000,00 € |
07/01/2019 |
15/08/2019 |
||
90.000,00 € |
07/01/2019 |
15/12/2019 |
||
58.000,00 € |
07/01/2019 |
15/08/2019 |
||
34.000,00 € |
15/01/2019 |
15/10/2019 |
||
71.000,00 € |
15/01/2019 |
31/07/2019 |
||
58.000,00 € |
30/01/2019 |
15/04/2020 |
||
25.000,00 € |
30/01/2019 |
15/10/2019 |
||
89.000,00 € |
30/01/2019 |
15/10/2020 |
||
45.000,00 € |
30/01/2019 |
15/12/2019 |
||
39.000,00 € |
30/01/2019 |
15/10/2019 |
||
39.000,00 € |
30/01/2019 |
15/10/2019 |
||
58.000,00 € |
30/01/2019 |
15/04/2020 |
||
58.000,00 € |
01/03/2019 |
15/08/2019 |
As pointed out by Julia Reda's blog on the latest FOSSA funding, the bounties paid will vary according to the severity of the issue uncovered and the relative importance of the software. Thus, the best bounties could come from bug hunting in PuTTY and Drupal it seems. Of course bug hunters will likely look in areas that best fit their skills rather than purely in line with potential reward.
ZDNet says that to qualify for a reward, security researchers must get their bug report approved and the software project patched in a subsequent release. That reminds us - finding the bugs could be less than half the job - open source developers need the resources to find solutions to any errors found, in order to patch them.
7-Zip updated
In related open source news, the popular free file archiver 7-Zip has just been updated. You can find the home page with release notes and download links here.