Slashdot Mirror
EU Offers Big Bug Bounties On 14 Open Source Software Projects (juliareda.eu)
Julia Reda is a member of Germany's Pirate Party, a member of the European Parliament, and the Vice-President of The Greens-European Free Alliance.
Thursday her official web site announced: In 2014, security vulnerabilities were found in important Free Software projects. One of the issues was found in the Open Source encryption library OpenSSL.... The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure.... That is why my colleague Max Andersson and I started the Free and Open Source Software Audit project: FOSSA... In 2017, the project was extended for three more years. This time, we decided to go one step further and added the carrying out of Bug Bounties on important Free Software projects to the list of measures we wanted to put in place to increase the security of Free and Open Source Software...
In January the European Commission is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on.
The bounties start at 25.000,00 € -- about $29,000 USD -- rising as high as 90.000,00 € ($103,000). "The amount of the bounty depends on the severity of the issue uncovered and the relative importance of the software," Reda writes.
Click through for a list of the software projects for which bug bounties will be offered.
Thursday her official web site announced: In 2014, security vulnerabilities were found in important Free Software projects. One of the issues was found in the Open Source encryption library OpenSSL.... The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure.... That is why my colleague Max Andersson and I started the Free and Open Source Software Audit project: FOSSA... In 2017, the project was extended for three more years. This time, we decided to go one step further and added the carrying out of Bug Bounties on important Free Software projects to the list of measures we wanted to put in place to increase the security of Free and Open Source Software...
In January the European Commission is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on.
The bounties start at 25.000,00 € -- about $29,000 USD -- rising as high as 90.000,00 € ($103,000). "The amount of the bounty depends on the severity of the issue uncovered and the relative importance of the software," Reda writes.
Click through for a list of the software projects for which bug bounties will be offered.
- Filezilla
- Apache Kafka
- Notepad++
- PuTTY
- VLC Media Player
- FLUX TL
- KeePass
- 7-zip
- Digital Signature Services (DSS)
- Drupal
- GNU C Library (glibc)
- PHP Symfony
- Apache Tomcat
- WSO2
This list should be expanded to include many other projects as well, such as OpenSSH, etc...
I applaud the EU for their efforts!!!
Filezilla uploads and downloads files from and to your web site.
Notepad++ is used for fundamental work, like programming and checking the validity of HTML and organizing HTML web pages. (See the Tidy2 plugin.)
See the list of Notepad++ plugins.
If those programs are found to have a serious deficiency, the deficiencies will be fixed and the bounty paid. Mostly nothing will be paid because deficiencies won't be found.
And who do you think will pay for what happens if any of the software on that list gets hacked and comprises some governmental or commercial data? Funding research that benefits us all (or most of us) is exactly the thing that tax money should be used for.
It's one of those few politicians who grok IT and software and know what matters, instead of swallowing all the nonsense lobbies throw at them.
I've heard a couple of talks by her and really wish we had a couple more like her.
Why Yet Another Crypto Library instead of a more widely used one?
If you're referring to DSS then they probably mean that the bug bounty applies to the esig library or the standard it is based on. It's a convenient tool for applying and verifying EU-compliant document signatures (PDF, XML, ASiC) throughout EU institutions.
A contrived use case could be that you want to sign a legally binding contract with a Spanish bank to own a summer house, but you authenticate yourself with your Finnish bank, and the Spanish bank has outsourced the signing service to a company located in the Netherlands. But anyone involved can validate the signed document and see who were involved.
Why Filezilla, a client for a dying technology? Why Notepad++
Because EU institutions rely on them.
The bounties are for the software they actually use.
If you think they should be using something else, that is a different issue. Good luck getting an entrenched bureaucracy to change their workflow to fit your whims.
And who is going to pay for all the resulting updates?
European taxpayers will pay for it.
The reasoning is that paying for bug fixes will likely be cheaper than paying for security breaches.
I lean libertarian, yet even I see this as a good use of taxpayer euros. The bug fixes help everyone, and they are leveraging the profit motive of the private sector to make it happen.
Disclaimer: I am not a European taxpayer.
Yep I absolutely want someone straight out of university "fixing" OpenSSL.
Why Filezilla, a client for a dying technology?
Who says FTP is a dying technology? It serves a useful purpose. On occasion I need to download virtual machine images around 90GB in size, or larger. Filezilla + FTP is a very robust transport method. Trying to do this over HTTP will frequently run for hours (or days) and require starting over if an error occurs. FTP is also preferable to torrenting for this, since it doesn't require simultaneous uploading and lots of peers downloading the same image.
Sorry as pointed out during the recent US elections, using FTP to distribute data is insecure and legacy. HTTPS is superior because it has encryption.
Paying to find bugs won't make much sense unless you also provide cash to fund the maintainers for additional manpower. Open source maintainers are already spending all their allotted time on maintaining the code. Simply identifying more bugs doesn't fix the manpower issue and makes their job even more difficult.
If you are identifying problems (bugs) you should also offer solutions (funding).
I find that running an FTP server on a tablet or phone is often the easiest way to get files onto a networked computer that isn't set up to share files over the network.
For example, some sort of machine like a laser printer or CNC that has a windows computer as the interface. Maybe it only has a USB port to accept files, but it is connected to the shop's wifi. No problem, I can just run cmd and then ftp from the command line!
It isn't dying, because the commands already exist and don't require any new integrations to be useful. And yet, they're still used by a lot of legacy scripts, installers and things like that, so they're not likely to be actually removed.
It just spends a lot of quiet time to itself these days.
Is distributing data the only use case for FTP, or can it also be used to transfer data that isn't being distributed?
My advice, do a web search for "printing money" and find out what it means when economists use that term.
Because it doesn't mean, "they spent money in a way I didn't approve of." And it isn't even close to that.
Computers don't care who typed code it, it runs the same regardless of what letters are next to a person's name, or how long their letters have been carefully aged.
No need for scare-quotes around the word fixed, it is a bug bounty not some sort of contract to attempt to fix bugs. If they didn't fix it, they won't get paid.
You raise a good point. FTP can be a common protocol when transferring between system like Unix (native NFS file sharing) and Windows (native SMB file sharing).
openssl had 10 severe vulnerabilities caused by those "senior" programmers.
You don't get my point anyway.
If you want certified or "safe" s/w, you're off to corporate s/w(a.k.a. closed source). OSS comes with this(example from GPL):
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM âoeAS ISâ WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
>implying
So, your argument is: if you want secure software, you have to buy 'corporate software', because open source software comes with a disclaimer?
I can only assume you have never read the fine print of corporate software.
Tax payers supporting new EU tech jobs.
Domestic spying is now "Benign Information Gathering"
Someone above mentioned funding for maintainers. That would be a hell of a lot more productive
No, unconditional funding is a terrible idea. It would quickly turn into yet another entitlement.
Paying for finding/fixing actual bugs means money is only paid for performance.
Incentives need to be aligned with objectives. If you want bug fixes, you pay for bug fixes, not for "effort".
Sorry as pointed out during the recent US elections, using FTP to distribute data is insecure and legacy. HTTPS is superior because it has encryption.
It's not a superior transport mechanism. I'm talking about file transfers that can take hours or even days to complete. In my experience HTTP/HTTPS frequently fails on very large file transfers without any retry functionality. If encryption is a requirement, I can encrypt my files prior to transporting them.
WordPress can hardly be considered a CMS, it is a blogging software, thats all.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
FTP has been supporting encryption for ages. I have set up a Linux box running vsftpd with strong encryption for my employer about six years ago. Just create a self signed certificate or buy one if needed. Configure ten seconds wait time after unsuccessful login attempt to get rid of 99.9% of hackers/bots. Still running flawlessly, and never got an intrusion on this machine. Only complaints from users are when contacts from other companies cannot access our server because their firewall rules disallow FTP.
FTP can be very secure and extremely reliable, and can run for ages without maintenance (just configure automatic updates on the machine and check access/sys logs regularly). Try that with stuff like OwnCloud or some other web crap. You will be owned in now time.
One reason many prefer Drupal is that it is multilingual, while most other CMS are not. Multilinguality is a feature needed by many european administrations. (I do not use Drupal, but I know the problems Joomla or Wordpress have with mutilingual plugins)
When instead you can pay $100,000,000s for a software security surveillance department within the military?
So you'd be happy with a developer with zero experience working on a complex crypto library. You must be an IT manager.
So you'd be happy with a woozle wurt and bleeble blazzer? What?
I didn't say anything like that, man. Just because you didn't understand the words, doesn't mean I was providing you a Mad Libs. Instead of replacing the words you didn't understand, just look them up.
PVS-Studio and Bug Bounties on Free and Open Source Software: https://medium.com/@karpov2007...
I must be getting old, no-one else thinks of this when they hear "bug bounty"?
https://dilbert.com/strip/1995...
Complexity is Easy. Simplicity is Hard.