EU Offers Big Bug Bounties On 14 Open Source Software Projects

Julia Reda is a member of Germany's Pirate Party, a member of the European Parliament, and the Vice-President of The Greens-European Free Alliance.

Thursday her official web site announced: In 2014, security vulnerabilities were found in important Free Software projects. One of the issues was found in the Open Source encryption library OpenSSL.... The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure.... That is why my colleague Max Andersson and I started the Free and Open Source Software Audit project: FOSSA... In 2017, the project was extended for three more years. This time, we decided to go one step further and added the carrying out of Bug Bounties on important Free Software projects to the list of measures we wanted to put in place to increase the security of Free and Open Source Software...

In January the European Commission is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on.
The bounties start at 25.000,00 € -- about $29,000 USD -- rising as high as 90.000,00 € ($103,000). "The amount of the bounty depends on the severity of the issue uncovered and the relative importance of the software," Reda writes.

Click through for a list of the software projects for which bug bounties will be offered.

• Filezilla

• Apache Kafka

• Notepad++

• PuTTY

• VLC Media Player

• FLUX TL

• KeePass

• 7-zip

• Digital Signature Services (DSS)

• Drupal

• GNU C Library (glibc)

• PHP Symfony

• Apache Tomcat

• WSO2

More projects needed

[rstanley]

This list should be expanded to include many other projects as well, such as OpenSSH, etc...

I applaud the EU for their efforts!!!

Re: More projects needed

[GaryGregory]

Link to a EU page?

Re:More projects needed

This list should also be expanded to include a bounty for whoever manages to silence the fat IT clerk from the Santa Clara area.

Re: More projects needed

[rstanley]

I believe there are two sites to do the research and report the bugs:

See:
https://juliareda.eu/2018/12/eu-fossa-bug-bounties/
and from there:
https://www.intigriti.com/public/
and
https://www.hackerone.com/

Re: More projects needed

My papers! Where are my papers? Someone took my papers! Oh no! Shut up! I mean be quiet! Where is creamers porn?

Re:More projects needed

[AHuxley]

That would need more EU tax payers paying more and more.
With all the EU projects spending more EU tax payers money on "free" stuff that extra money for the gov is getting difficult to extract.

Re: More projects needed

[gomadtroll]

Free as I libre, it beer

Re: More projects needed

[AHuxley]

Wonder if that "free" from the EU comes with some new "free" regulations too?

Smithers

Release the hounds

Choice?

Some of these look pretty arbitrary. Why Filezilla, a client for a dying technology? Why Notepad++, which is desktop software which is not networked nor used in mission-critical environments? Why Putty and not Openssh? Why Yet Another Crypto Library instead of a more widely used one?

Re:Choice?

Clearly it is one of those money laundering schemes set up by them pesky bots.

Quickly, Call my nigerian prince and have him notify his swiss bank manager.

captcha : textbook

Re: Choice?

Those are all applications run by companies in a Windows environment. All of the ops guys I worked with, that used Windows, used Putty. Filezilla was common for secure copies. Sounds like the government wants to make sure their security is sound.

Re: Choice?

Careful watch out for drug abuse

Re:Choice?

[skoskav]

Why Yet Another Crypto Library instead of a more widely used one?

If you're referring to DSS then they probably mean that the bug bounty applies to the esig library or the standard it is based on. It's a convenient tool for applying and verifying EU-compliant document signatures (PDF, XML, ASiC) throughout EU institutions.

A contrived use case could be that you want to sign a legally binding contract with a Spanish bank to own a summer house, but you authenticate yourself with your Finnish bank, and the Spanish bank has outsourced the signing service to a company located in the Netherlands. But anyone involved can validate the signed document and see who were involved.

Re:Choice?

[ShanghaiBill]

Why Filezilla, a client for a dying technology? Why Notepad++

Because EU institutions rely on them.

The bounties are for the software they actually use.

If you think they should be using something else, that is a different issue. Good luck getting an entrenched bureaucracy to change their workflow to fit your whims.

Re: Choice?

exactly. stupid windows user bullshit.

Re: Choice?

No need to watch out for that...
the EU employees have healthcare, benefits, a salary that's good enough to enjoy plenty of drug use and plenty of time to enjoy them.

take that, you american public school commies !

captcha : parade

Re:Choice?

[nuckfuts]

Why Filezilla, a client for a dying technology?

Who says FTP is a dying technology? It serves a useful purpose. On occasion I need to download virtual machine images around 90GB in size, or larger. Filezilla + FTP is a very robust transport method. Trying to do this over HTTP will frequently run for hours (or days) and require starting over if an error occurs. FTP is also preferable to torrenting for this, since it doesn't require simultaneous uploading and lots of peers downloading the same image.

Re: Choice?

Sorry as pointed out during the recent US elections, using FTP to distribute data is insecure and legacy. HTTPS is superior because it has encryption.

Re:Choice?

[Aighearach]

I find that running an FTP server on a tablet or phone is often the easiest way to get files onto a networked computer that isn't set up to share files over the network.

For example, some sort of machine like a laser printer or CNC that has a windows computer as the interface. Maybe it only has a USB port to accept files, but it is connected to the shop's wifi. No problem, I can just run cmd and then ftp from the command line!

It isn't dying, because the commands already exist and don't require any new integrations to be useful. And yet, they're still used by a lot of legacy scripts, installers and things like that, so they're not likely to be actually removed.

It just spends a lot of quiet time to itself these days.

Re: Choice?

[Aighearach]

Is distributing data the only use case for FTP, or can it also be used to transfer data that isn't being distributed?

Re: Choice?

[nuckfuts]

You raise a good point. FTP can be a common protocol when transferring between system like Unix (native NFS file sharing) and Windows (native SMB file sharing).

Re: Choice?

That's why most use SFTP for sensitive stuff, or they should be at least.

Re: Choice?

[bn-7bc]

Well in addition to ftp snd ftp over tls filezilla suppoers SFTP so while ftp might be dying filezile still has some life left in it

Re: Choice?

Why? Do you have something to hide?

Re: Choice?

[nuckfuts]

Sorry as pointed out during the recent US elections, using FTP to distribute data is insecure and legacy. HTTPS is superior because it has encryption.

It's not a superior transport mechanism. I'm talking about file transfers that can take hours or even days to complete. In my experience HTTP/HTTPS frequently fails on very large file transfers without any retry functionality. If encryption is a requirement, I can encrypt my files prior to transporting them.

Re: Choice?

FTP has been supporting encryption for ages. I have set up a Linux box running vsftpd with strong encryption for my employer about six years ago. Just create a self signed certificate or buy one if needed. Configure ten seconds wait time after unsuccessful login attempt to get rid of 99.9% of hackers/bots. Still running flawlessly, and never got an intrusion on this machine. Only complaints from users are when contacts from other companies cannot access our server because their firewall rules disallow FTP.

FTP can be very secure and extremely reliable, and can run for ages without maintenance (just configure automatic updates on the machine and check access/sys logs regularly). Try that with stuff like OwnCloud or some other web crap. You will be owned in now time.

Re: Choice?

in now time.

I'm going to steal this delightful accident of spelling.

Thank you.

And who is going to pay for all the updates?

And who is going to pay for all the resulting updates? You and I. That's who.

This "research" is not doing the industry any favors.

Re:And who is going to pay for all the updates?

This is open source software, you maroon. Whoever wants to pay for it, will.
The rest of us get the updates for free.

Re:And who is going to pay for all the updates?

[F.Ultra]

And who do you think will pay for what happens if any of the software on that list gets hacked and comprises some governmental or commercial data? Funding research that benefits us all (or most of us) is exactly the thing that tax money should be used for.

Re:And who is going to pay for all the updates?

[ShanghaiBill]

And who is going to pay for all the resulting updates?

European taxpayers will pay for it.

The reasoning is that paying for bug fixes will likely be cheaper than paying for security breaches.

I lean libertarian, yet even I see this as a good use of taxpayer euros. The bug fixes help everyone, and they are leveraging the profit motive of the private sector to make it happen.

Disclaimer: I am not a European taxpayer.

Re:And who is going to pay for all the updates?

Since you've pointed it out,
You shall pay for it
All of it!
From now,
Until Forever
Moehahahahahhaa

captcha : admiring

Re:And who is going to pay for all the updates?

EU taxpayers will not pay for it. Businesses will. Or more likely they will not (because nobody can afford to), and the newly revealed vulnerabilities will result in yet more zombie servers on the internet. Great. So what was the point of this?

Someone above mentioned funding for maintainers. That would be a hell of a lot more productive, and would be doing the business community a favor, instead of trying to pull the rug out from under it.

Re:And who is going to pay for all the updates?

[AHuxley]

Tax payers supporting new EU tech jobs.

Re:And who is going to pay for all the updates?

[AHuxley]

When European taxpayers cant pay more taxes, its time to tax all US brands in the EU some more?

Re:And who is going to pay for all the updates?

[ShanghaiBill]

Someone above mentioned funding for maintainers. That would be a hell of a lot more productive

No, unconditional funding is a terrible idea. It would quickly turn into yet another entitlement.

Paying for finding/fixing actual bugs means money is only paid for performance.

Incentives need to be aligned with objectives. If you want bug fixes, you pay for bug fixes, not for "effort".

Hmmm

No link to a real EU page, and promoted by a socialist dirt bag alliance of left wing assholes. No thank you.

Re:Hmmm

That's why Cdreimer left /. after 20 years and posted 100+ videos in 2018. His trolls are still butthurt that he left them alone with APK.

The thing to do for him: post more videos :)

Re: Hmmm

Hey let me wash your windshield! No really let me wash your windshield with this duty newspaper! Now give me two dollars I washed your windshield. See? It has only a few more filthy spots than before!

Some make sense, others do not

I can understand why glibc, Tomcat, and putty are on the list. But why Notepad++? 7-zip? VLC? Yes, these are popular open source projects and yes, they can be compromised, but usually they are compromised during /distribution/, not during original implementation.

Re: Some make sense, others do not

Tomcat is going to bankrupt the fund.

Filezilla and Notepad++ are important.

[Futurepower(R)]

Filezilla uploads and downloads files from and to your web site.

Notepad++ is used for fundamental work, like programming and checking the validity of HTML and organizing HTML web pages. (See the Tidy2 plugin.)

See the list of Notepad++ plugins.

Payment only when serious deficiencies are found.

[Futurepower(R)]

If those programs are found to have a serious deficiency, the deficiencies will be fixed and the bounty paid. Mostly nothing will be paid because deficiencies won't be found.

Julia Reda rocks!

It's one of those few politicians who grok IT and software and know what matters, instead of swallowing all the nonsense lobbies throw at them.

I've heard a couple of talks by her and really wish we had a couple more like her.

Re:Julia Reda rocks!

So pay for people to find bugs that businesses will likely never patch in their applications because either they will never hear about it or simply do not have the money to pay someone to fix it?

Is that the idea?

Well if she had half a clue, the projects selected would make more sense and it would not be a bug bounty but funding for a bugfix drive on important projects that need work.

FLUX TL???

Are they insane? They've invented a new transport layer for their very specific use case (exchange of fisheries data) instead of using something proven and now expect everyone to debug their code.
And calling this open source software is exaggeration. I could find only a single release on their website (v1.7.1) and there is no download link.

Hypocricy

[Tsolias]

at its finest.
OK, let's paint the big picture here.
The E.U. just prints money. Every "green", "OSS", or any similar move that they've done, has been initiated because they wanted to absorb a buttload of money.
e.g. there are many members of the e.u. parliament, with ties to "green" companies, that have been getting many years money due to their "green" operations.

Now, what's this "initiative"? This is probably the same high corruption scum. These projects could've been funded, with manpower ofc, not direct funding, in order to help free s/w. A 90k bounty for a bug doesn't solve the problem.
A 2 year contract for graduate with 90k in total, could've benefited such projects in greater extend by just fixing a bug. You could help a graduate start filling his CV, you could give man power to projects that need it and in the end those people could fix critical bugs, non-critical ones and even contribute more features.
Bug bounty hunting for non-corporate s/w is wasteful and doesn't help neither(is this considered a double negative?) the project that much, nor contributes back to developers who want to work on it but don't have the experience to deal with those bugs *in-time*.

Re: Hypocricy

[cyber-vandal]

Yep I absolutely want someone straight out of university "fixing" OpenSSL.

Re:Hypocricy

[Aighearach]

My advice, do a web search for "printing money" and find out what it means when economists use that term.

Because it doesn't mean, "they spent money in a way I didn't approve of." And it isn't even close to that.

Re: Hypocricy

[Aighearach]

Computers don't care who typed code it, it runs the same regardless of what letters are next to a person's name, or how long their letters have been carefully aged.

No need for scare-quotes around the word fixed, it is a bug bounty not some sort of contract to attempt to fix bugs. If they didn't fix it, they won't get paid.

Re: Hypocricy

[Tsolias]

openssl had 10 severe vulnerabilities caused by those "senior" programmers.
You don't get my point anyway.
If you want certified or "safe" s/w, you're off to corporate s/w(a.k.a. closed source). OSS comes with this(example from GPL):
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM âoeAS ISâ WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

Re:Hypocricy

[Tsolias]

>implying

Re: Hypocricy

So, your argument is: if you want secure software, you have to buy 'corporate software', because open source software comes with a disclaimer?

I can only assume you have never read the fine print of corporate software.

Re: Hypocricy

Oh, I see. The problem is you don't know what a bug bounty is.
The payment is only for finding bugs, not fixing them.

Re: Hypocricy

Uh, cite a single piece of commercial software that provided a warranty for your data. I personally havenâ(TM)t seen a single one.

Re: Hypocricy

[cyber-vandal]

So you'd be happy with a developer with zero experience working on a complex crypto library. You must be an IT manager.

Re: Hypocricy

[Aighearach]

So you'd be happy with a woozle wurt and bleeble blazzer? What?

I didn't say anything like that, man. Just because you didn't understand the words, doesn't mean I was providing you a Mad Libs. Instead of replacing the words you didn't understand, just look them up.

For thousands of open/free apps.

https://en.wikipedia.org/wiki/...

Pay for Maintainers

[divide+overflow]

Paying to find bugs won't make much sense unless you also provide cash to fund the maintainers for additional manpower. Open source maintainers are already spending all their allotted time on maintaining the code. Simply identifying more bugs doesn't fix the manpower issue and makes their job even more difficult.

If you are identifying problems (bugs) you should also offer solutions (funding).

Re: Pay for Maintainers

[bn-7bc]

Well som bugs ar hatd to find, these bounties are just there to give the devs a resnable chance of getting to hear about bugs before exploits are sold to black-hats, I donâ(TM)t know about you, but bersonaly I thing that is a good thing.

Re: Pay for Maintainers

You know as well as I that is not how this works. New vulnerabilities get published. Average businesses either never hear about them or simply cannot afford to fix them. Result: an expanded botnet increased in value to hammer our mail servers even harder.

Bug bounties are bad news all around.

Re:Pay for Maintainers

[AHuxley]

Every year the EU will tax its working people some more to give away their money to "free" computer projects.

Re:Pay for Maintainers

[divide+overflow]

1. Good for the EU. At least they understand that nothing is truly free.
2. You can't tax people that don't have anything. That's just common sense.
3. Consider yourself lucky that someone creates usable software and provides it freely to others including selfish people who don't appreciate its value or the effort that went into its creation.

Happy New Year!

Re:Pay for Maintainers

[AHuxley]

Re "someone creates usable software and provides it freely"
When does "usable software and provides it freely" become just another EU tax payers funded project?
The same EU support every year? Then every month?
How many other "free" projects will get that kind of EU support?

Re:Pay for Maintainers

Shut the fuck up, you retarded subhuman oaf.

Re: Pay for Maintainers

Fixing security vulnerabilities in software commonly used in EU institutions will safe those same institutions huge amounts of money that would otherwise have to be spent on incident response.

Re: Pay for Maintainers

[AHuxley]

AC the EU then gets to have some say in the role of the app?

Fewere and fewer corporate firewalls...

Will let you use FTP. For good reason.

How much to remove "man" words from comments?

Or is that funded separately?

Why Drupal and not WordPress?

[rklrkl]

It seems strange that Drupal with 3.5% market share (globally across both public and private sector) of CMS'es is on the list and yet WordPress, which is the most dominant CMS by far, isn't on the list despite having 59.7% CMS market share (figures from W3Techs).

Maybe the European public sector uses Drupal more than WordPress (I have no specific figures on that), but I seriously doubt it considering the 17:1 worldwide usage disparity. Or is Drupal considered less secure than WordPress and needs more fixes? Again, I doubt that - WordPress is a much bigger target for hackers and has a lot more third-party plugins which vary very widely in quality of code.

Re:Why Drupal and not WordPress?

[angel'o'sphere]

WordPress can hardly be considered a CMS, it is a blogging software, thats all.

Re:Why Drupal and not WordPress?

[MS]

One reason many prefer Drupal is that it is multilingual, while most other CMS are not. Multilinguality is a feature needed by many european administrations. (I do not use Drupal, but I know the problems Joomla or Wordpress have with mutilingual plugins)

Steve Bannon, is that you?

May your bones rot in some nameless place in Hungary, next to Orbans corrupt corpse.

You stink.

Do a web search

Because the Web knows economy. Bummer.

Why pay for $100,000s for bugs

[aberglas]

When instead you can pay $100,000,000s for a software security surveillance department within the military?

PVS-Studio and Bug Bounties

[Embedded_Prog]

PVS-Studio and Bug Bounties on Free and Open Source Software: https://medium.com/@karpov2007...

I'm going to write me a minivan

[BdosError]

I must be getting old, no-one else thinks of this when they hear "bug bounty"?

https://dilbert.com/strip/1995...