Original post from InfoSecurity Magazine
EU Launches Bug Bounty for 15 Open Source Projects
The third edition of FOSSA will include 15 software programs: 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, midPoint, Notepad++, PHP Symfony, PuTTY, VLC Media Player and WSO2, according to EU Parliament member Julia Reda.
Reda, who has written extensively about the security risks in Open SSL, launched the FOSSA project with her colleague Max Andersson in 2015, which is moving into phase three. The first 14 bug bounty projects will commence in January 2019, with the final project beginning in March.
While bug bounty programs call upon the hacker community to come together in search of vulnerabilities, applying the crowdsourced concept to open source presents unexpected challenges, according to Tim Mackey, senior technical evangelist at Black Duck by Synopsys.
“Since bug bounty programs favor the discovery of issues with an implicit assumption resources exist to resolve found issues, any security issue disclosed in public leaves users vulnerable until a fix is found.
“Once a fix is created, that fix needs to be delivered to users. This is by far the most significant hurdle for bug bounty–based efforts in FOSS. The core challenge being an assumption valid only with commercial software – [that] there is a single release stream to upgrade. As the FOSS community knows very well, branches of releases are very common, and it may be difficult to apply a fix from one branch to another.”
Though Mackey applauded the EU for creating the bug bounty program, he argued that funding developers and security professionals to work with the communities creating their target applications is also important.
“That way not only are issues being discovered, but the overall process can be improved while addressing any issues uncovered. It should be noted that the target projects represent a very small percentage of open source projects, and that while these are obviously critical projects for the EU, it would be worthwhile for the EU to investigate expanding this effort.”
In a December 28, 2018, tweet, Reda expressed the same sentiment. “That would indeed be better, but the @EU_Commission can’t just dish out money to developers who haven’t gone through an onerous public tender process that favours large consultancies that specialize in bidding for tenders rather than Drupal development.”
Go to Source