Skip to main content

Software Security is a Civil Right!

EUPL for state software

Published on: 14/01/2019 News Archived

While open source software like OpenSSL appears to be the cornerstone of safe transactions on the Internet, used by millions of websites and organisations; while so many commercial companies and governments using OpenSSL extensively were taking it for granted, royalty free and safe, it was a bitter finding to discover, with the now famous Heartbleed bug, that it has severe vulnerabilities.

One of the reason is that the OpenSSL Software Foundation which is responsible for the maintenance of the library receives just $2000 of donation per year and has only ONE full-time employee working on the library.

On the other hand, one of the best guarantee open source can provide is that the source code is not hidden. It is publicly available and could be checked by everyone. Everyone could contribute and correct possible error, but the “could” is the true question: will everyone do that, for free and without any incentive?

Like bread and beer, free software development is not for free: developers need some incentives, let’s say just the money they need for purchasing their bread and beer or for ensuring their family a decent way of life. In order to provide these incentives, the European Commission is launching in January about 15 bug bounties on Free Software projects that the EU institutions rely on. A bug bounty is a prize for people who actively search for security issues. The amount of the bounty depends on the severity of the issue uncovered and the relative importance of the software.

This EU initiative is part of the Free and Open Source Software Audit (FOSSA) project.

"Software Security as a Civil right", Nikos Vaggalis wrote in i-programmer news, quoting the scheme that Julia Reda (MEP) pushes forward. Mission-critical F/OSS applications' audits should be state funded in order to serve the wider good.

A prime example of how deep OSS has infiltrated Governments, is that of Bulgaria whose state eGovernment agency SEGA is going to "award a contract for building the country’s open source code repository. The repository, to be based on Git, will be hosting source all software newly developed by or for Bu services".Everything is going to be released under the European Union Public Licence (EUPL).

More information:

Referenced solution