The European Commission in January is funding 14 bug bounty programs in hopes of sniffing out vulnerabilities in the free open source projects that EU institutions rely on.
The bug bounty programs span 14 open source software projects and offers a total of almost $1 million for all bounties combined. The bug bounty programs have varying rewards, start and end dates, and platforms. The first bug bounty programs – for Filezilla, Apache Kafka, Notepad++, PuTTy, and VLC Media Player – begin next week on Jan. 7.
The initiative stems back to the Free and Open Source Software Audit project (FOSSA), first created by European Parliament member Julia Reda. Reda proposed FOSSA with the hopes of securing open source software, after the Heartbleed vulnerability was discovered in open source encryption library OpenSSL in 2014.
Heartbleed not only impacted OpenSSL, but also the other software that the library provided functions to – and the bug also highlighted the security issues in software widely used across the Commission.
“Like many other organisations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things,” said Reda in a post about FOSSA. “But the Internet is not only crucial to our economy and our administration. It is the infrastructure that runs our every day lives. It is the means we use to retrieve information and to be politically active.”
The project’s first iteration, between 2015 to 2016, launched several security audits, listed which free software the EU runs on, and analyzed how software developers maintain security in their projects. In 2017, the EU developed several bug bounty programs to hunt out vulnerabilities in the open source programs utilized by EU institutions. In November 2017, the Commission announced to run the first bug bounty on VLC Media Player as a proof of concept.
Here is the full list of software projects that will have bug bounty programs:PuTTY and Drupal have the two largest bug bounties, offering 90,000 Euro ($102,000) and 89,000 Euro ($101,000) respectively. The timeframes of the bug bounties also vary – PuTTY’s bug bounty program will remain active until Dec. 15, while Drupal’s will go until Oct. 15, 2020.
While the EU hailed the bug bounty programs as a step in the right direction, some worry that open source software needs to rely on more than merely bug bounty programs to build up security.
Katie Moussouris, founder of Luta Security, said on Twitter that “a #bugbounty on open source projects that don’t get any funding for additional maintainers is likely to decimate the volunteer maintainer labor pipeline of the future”.
I disagree that it's a good thing on its own.
Where is the money for more paid maintainers?
It's not there.
A #bugbounty on open source projects that don't get any funding for additional maintainers is likely to decimate the volunteer maintainer labor pipeline of the future https://t.co/1YgwDNeFXM
— Katie Moussouris (@k8em0) December 28, 2018
The issue of using bug bounty programs as a final solution when it comes to security – as opposed to as a means to an end – has been touched on several times in the past few years.
Josh Bressers, head of Product Security at Elastic, said in his blog one issue is that the EU doesn’t have a way to pay the projects today, but they do have a way to pay security bug bounties. They instead should be focusing on a “next step” that will give the projects resources to secure themselves.
“If nothing changes and bug bounties are the only way to spend money on open source, this will fizzle out as there isn’t going to be a massive return on investment,” he said. “The projects are already overworked, they don’t need a bunch of new bugs to fix…Resources aren’t always money, sometimes it’s help, sometimes it’s gear, sometimes it’s pizza. An organization like the EU has money, they need help turning that into something useful to an open source project.”