AT the end of last month Julia Reda (MEP, Pirate Party) made an announcement which was initially overlooked. Maybe due to the time of the year. But over the next week (and almost a fortnight) news sites caught up with it. See below.
Starting this month the European Commission (EC) will kick off a series of bug bounties aimed at finding and patching security bugs in open source software (OSS).
Each of the bug bounties, which offer prize pools of between €25,000 and €90,000 (AUD$40,518 and AUD$145,868), target open source programs that are widely used within the EC.
The EC selected software it would fund bug bounties for based on previous inventories of software usage within the EC and a public survey about what projects should be supported.
Open source projects that will get EC-incentivised attention in coming months include Filezilla FTP software, the KeyPass password manager, Drupal CMS software, and the Apache Software Foundation’s implementation of Java technologies, Apache Tomcat.
The full list of 15 bounty programs includes the file archiver 7-zip, the Java servlet container Apache Tomcat, the content management framework Drupal, the cross-platform FTP application Filezilla, the media player VLC, the password manager KeePass, the text/source code editor Notepad++, plus other popular tools. Rewards start at €25,000 and go on up to €90,000 ($28,600 to $103,000), for a total offered amount of €851,000 ($973,000).
The European Union is ponying up close to €1m under a bug bounty programme spanning a range of open source projects.
The cash drop represents the latest milestone for the Free and Open Source Software Audit Project (FOSSA) the brainchild of German Pirate Party MEP Julia Reda and her colleague, Max Andersson.
In a pre-NYE blog post announcing the bounties, and recapping progress on FOSSA, Reda said that, “In January the European Commission is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on.
The European Commission has provided funding for bug bounties in 14 open source projects it relies on. The bounties are designed to find gaps in its security after a year of successful attacks across the world.
The idea has roots in the Heartbleed vulnerability, whose discovery in OpenSSL caused a mad scramble and widespread concern. This led to the proposal of the Open Source Software Audit (FOSSA) by Julia Reda.
The bounties include popular applications like Filezilla, Notepad++, PuTTy, VLC Media Player, KeePass, and 7-zip. They were chosen by a historical look at application usage in the EC and a public survey by Reda.
Of course, while the discovery of the bugs will aid the European Commission, they’ll play a wider role in protecting the public as a whole. The bounties are open to all on HackerOne and Intigriti, meaning anyone holding on to relevant exploits has a financial incentive to divulge them.
The Commission is funding 15 'bug bounties' in total, with the total prize fund topping €£800,000.
EU officials are looking to paper over the cracks in open source programmes – software available for free online – that the Union uses in its computer systems.
The full list of programs includes 7-zip, Apache Tomcat, Drupal, Filezilla, VLC, KeePass, Notepad++ and other popular tools used in systems across the globe.
Rewards for 'ethical hackers' who get involved range from €£22,000 to €£80,000 per bug found, depending on how serious the flaw is.
Ethical hackers could earn up to $100,000 if they can spot vulnerabilities in the free open source software used by the European Union
The European Union (EU) has set up a bug bounty for 15 applications to help uncover security flaws in the most popular free and open source software on the web.Bug bounties are a prize for people who actively search for security issues and the EU is calling on ethical hackers and developers to help find vulnerabilities in the open source projects it relies on.
The initiative was announced by Julia Reda, a member of the European Pirate Party and the co-founder of The Free and Open Source Software Audit Project (FOSSA), and will see the EU fund 15 bug bounties ranging from $30,000 to $100,000 depending on the software in question and the size of the vulnerability.
IN PRECISELY 86 DAYS - unless something dramatic happens - Britain's 73 MEPs will lose their hard-earned (citation needed) European Union salary. For those that want one more hit of EU gravy after handing in the door pass, there is another way: finding bugs in open source software.
Bug bounties are nothing new, but they tend to be offered by companies with deep enough cash reserves to fund them, for obvious reasons. Facebook, Google, Microsoft and many others essentially pay people to find flaws in their software, so they can patch them before somebody else uses it to cause them bigger headaches further down the line.
So why is the EU getting in on the act? Simply because it uses open source software, and said programmes rely on the community to catch potential exploits. That's proved pretty efficient in the past, but with the EU representing the interest of 28 countries - well, 27 and one putting on its coat to leave - one small exploit could cause a lot of big problems.
As such, German Pirate Party MEP Julia Reda has unveiled the bug bounty program for 15 pieces of software favoured in Brussels and beyond: 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, midPoint, Notepad++, PuTTY, the Symfony PHP framework, VLC Media Player and WSO2.
The European Commission in January is funding 14 bug bounty programs in hopes of sniffing out vulnerabilities in the free open source projects that EU institutions rely on.
The bug bounty programs span 14 open source software projects and offers a total of almost $1 million for all bounties combined. The bug bounty programs have varying rewards, start and end dates, and platforms. The first bug bounty programs – for Filezilla, Apache Kafka, Notepad++, PuTTy, and VLC Media Player – begin next week on Jan. 7.
The initiative stems back to the Free and Open Source Software Audit project (FOSSA), first created by European Parliament member Julia Reda. Reda proposed FOSSA with the hopes of securing open source software, after the Heartbleed vulnerability was discovered in open source encryption library OpenSSL in 2014.
For anyone who has played around with the coding side of things, or even had a peek under the bonnet, names such as notepad++, GNU C library and Putty will be immediately recognizable.
These are some of the commonly used Open Source Software (OSS); software that is freely distributed with it source code that allows the user to read or modify it. Due to this, they are widely used in IT and programming.
Appreciating the important purpose they serve, and also the possibility of abuse, Julia Reda, an EU Member of Parliament has announced that the European Commission is launching what they term as “ bug bounty programs,” in a bid to encourage and support open source software.
The Member of Parliament noted that this is part of an ongoing effort, Free and Open Source Software Audit (FOSSA) in a concerted effort to get people to look debug these projects. At this time there will be up to fifteen programs that will be supported, in a bid to make the Internet safer and more reliable.
Bug bounty program for 14 of its open source projects will commence from January 2019 while the last one will start from March 1. These programs are sponsored as part of the 3rd edition of the FOSSA project, which was approved by the EU authorities in 2015 after severe vulnerabilities were identified in the OpenSSL library in 2014.
Bug bounties are a way for companies to check the security of their software by offering cash to freelancers who hunt for security exploits and then report them so that they can be fixed. The idea is that everyone benefits from this process: the company gets its software checked by a larger variety of people than they could employ by themselves, the bug hunters get offered legitimate cash for finding a security flaw instead of selling that information on the black market, and the public gets software which has been more thoroughly checked for security issues. Big tech companies like Google and Intel have been running bug bounty programs for years.
Payouts have ranged from 25.000,00 € for a Digital Signature Services (DSS) vulnerability to 90.000,00 € for a PuTTy vulnerability.
“The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure,” Reda said in an announcement. “Like many other organisations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things.”
Security researchers have welcomed a European Union-funded scheme to offer bug bounties on free and open source software projects that begins its roll-out this month.
The bounty scheme is an extension of the Free and Open Source Software Audit (FOSSA) project, and will reward ethical hackers who uncover flaws in key components of internet technologies such as Drupal and Apache Tomcat as well as consumer utilities such as the VLC Media Player.
Maximum payouts will range between €25k and €90k under a total of 15 programs, administered by either HackerOne or Intigriti/Deloitte, funded in large part by the EU.
From Monday 7 January the European Commission (EC) will start paying out bug bounties to security researchers who find vulnerabilities in 14 open source projects.
The funding pot is part of the EU Free and Open Source Software Audit (FOSSA) project, overseen by the EC’s Directorate General of Informatics (DIGIT).
The bounty programmes, run on the HackerOne and Intigriti platforms, cover open source software (OSS) used in European infrastructure, including streaming software Apache Kafka, content management framework Drupal and puTTY; a free SSH and telnet client for Windows.
But the project has not been without its critics, who have warned it will place a growing workload on volunteer-led projects, potentially alienating code maintainers who will see little personal benefit as a result.
While the European Union’s latest bug bounty program for widely used open source projects sounds like a step towards improving the security of the overall Internet ecosystem, these programs may wind up complicating efforts to secure these applications.
The European Union has committed to pay €850,000 (nearly $1 million) in bug bounties for vulnerabilities found in 15 open source projects as part of the edition of the Free and Open Source Software Audit (FOSSA) project, said Julia Reda, a member of the European Parliament representing the German Pirate Party. The projects are 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, midPoint, Notepad++, PuTTY, the Symfony PHP framework, VLC Media Player, and WSO2. Six of the projects will accept vulnerability reports until the summer, six until the end of the year, and three will accept reports through 2020. Drupal, a powerful content management system, and PuTTY, a terminal emulator, serial console and network file transfer application, have the largest amounts allocated under this program, at €89,000 ($101,000) and €90,000 ($102,000), respectively.
Working in partnership with HackerOne and Intigriti, the EU announced that the European Commission will launch a bug bounty program as part of the Free and Open Source Software Audit (FOSSA).
The third edition of FOSSA will include 15 software programs: 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, midPoint, Notepad++, PHP Symfony, PuTTY, VLC Media Player and WSO2, according to EU Parliament member Julia Reda.
Reda, who has written extensively about the security risks in Open SSL, launched the FOSSA project with her colleague Max Andersson in 2015, which is moving into phase three. The first 14 bug bounty projects will commence in January 2019, with the final project beginning in March.
The 14 projects are, in alphabetical order, 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, midPoint, Notepad++, PuTTY, the Symfony PHP framework, VLC Media Player, and WSO2.
The bug bounty programs are being sponsored as part of the third edition of the Free and Open Source Software Audit (FOSSA) project.
EU authorities first approved FOSSA in 2015, after security researchers discovered a year earlier severe vulnerabilities in the OpenSSL library, an open source project used by many websites to support HTTPS connections.
FOSSA aims at bringing together the developer community to ensure better security of open source systems, such as CMS or other standard software used by the EU.
There are several open-source software that is widely used by the authorities, as well as the public at large. Reportedly some of these are used as part of the EU’s IT Infrastructure, and therefore they are keen on ensuring better security for such projects.
The full list of programs that will be funded by the EC from January includes a number of popular tools: 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, Notepad++, PuTTY, PHP Symfony, VLC Media Player and WSO2. In March, midpoint will be added to the list.
The European Union (EU) has put up a bug bounty for security researchers to spot flaws in the open source software used by the regional bloc.
In a post on her website, European Parliament member Julia Reda of Germany said the bounty to be launched in 2019 by the European Commission – EU's executive branch – will cover a total of 15 free and open source software "that the EU institutions rely on."
Why it matters: The internet largely relies on open source projects to survive, but these are often developed by hardworking and charitable developers rather than well-paid employees. An unfortunate consequence of this is that developers simply don’t get the time and resources they require to hunt down the vulnerabilities that are so pervasive in complex code.
The European Union has recognized this problem, and as part of their Free and Open Source Software Audit (FOSSA) they’ve set up a bug bounty for 15 applications. The bounty ranges from $30,000 to $100,000 depending on the software in question, and of course, on the seriousness of the vulnerability discovered.
The European Union is an unexpected entrant into the world of bug bounties, funding 14 of them for open-source software projects on which the organization relies.
Bug bounties are payments provided to security researchers and others who detect and report vulnerabilities in software. The EU’s funding will begin at the start of January.
Announced late last week by Julia Reda, an elected representative of the EU Parliament, the program will fund bug bounties for a variety of software: 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services, Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, midPoint, Notepad++, PuTTY, the Symfony PHP framework, VLC Media Player and WSO2.
The funding will be provided through the Free and Open Source Software Audit project that was approved by the EU in 2015. That project was founded after flaws were found in OpenSSL, the open-source library used for the encryption of internet traffic.
The bounties are offered as part of the Free and Open Source Software Audit project (FOSSA), originally launched in 2015 following the discovery of security flaws in OpenSSL encryption.
Julia Reda, a German member of the European Parliament, says the bug bounty program will include 14 projects that the EU itself relies on.
“The amount of the bounty depends on the severity of the issue uncovered and the relative importance of the software. The software projects chosen were previously identified as candidates in the inventories and a public survey,” she says.
The full list of programs includes 7-zip, Apache Tomcat, Drupal, Filezilla, VLC, KeePass, Notepad++ and other popular tools that the EU institutions rely on, with rewards ranging from €25,000 to €90,000 ($28,600 to $103,000), for a total offered amount of €851,000 ($973,000).
Starting from the New Year, the European Union has decided to fund bug bounty programmes for a plethora of important open source projects. There are 14 projects covered by this initiative, starting from January 2019. The EU reckons its funding will shore up the integrity and reliability of the internet and other infrastructure, benefitting organisations and intuitions not just in Europe, but worldwide.
From January 7, 2019, researchers can submit security flaws for Filezilla, Apache Kafka, Notepad++, PuTTY, and VLC Media Player via the HackerOne bug bounty and vulnerability coordination platform. midPoint, a platform for identity management governance, is another product the EU wants to be more secure and offers rewards for vulnerabilities reported through HackerOne, starting March 1, 2019.
The rest of nine software products for which the EU set up a bug bounty are FLUX TL, KeePass, 7-zip, Digital Signature Services (DSS), Drupal, GNU C Library (glibc), PHP Symfony, Apache Tomcat, and WSO2; security flaws for them are coordinated through Intigrity, a Brussels-based crowdsourced security platform. The security reward programs for these start on January 15 and January
Julia Reda, EU member of the parliament, announced, last week, that EU will be funding the internet bug bounty programs for 14 out of the total 15 open source projects, starting January 2019.
The Internet Bug Bounty programs are rewards for friendly hackers who actively search for security vulnerabilities and issues. The program is managed by a group of volunteers that are selected from the security community. The amount of the bounty depends on how severe the issue uncovered is and the importance of the software. The amount ranges from 25,000,00 Euros and all the way up to 89,000,00 Euros.
The European Union will help cover the expenses of bug bounty programs for 14 open-source projects according to an announcement made by EU Member of Parliament Julia Reda.
The projects that will receive funding for their bug bounty programs are 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, midPoint, Notepad++, PuTTY, the Symfony PHP framework, VLC Media Player and WSO2.
The bug bounty programs are being sponsored as part of the third edition of the Free and Open Source Software Audit (FOSSA) project.
Here's a cool way for white hat hackers to earn themselves some nice greens. The European Union is funding a bounty hunter program for a bunch of open-source projects.
Starting next year, cybersecurity-savvy individuals can get their hands dirty with a total of 14 projects: 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, midPoint, Notepad++, PuTTY, the Symfony PHP framework, VLC Media Player, and WSO2.