The European Commission is about to launch a series of open source bug bounties. On 2 October the EC, for its EU-FOSSA 2 project, signed three framework contracts for running bug bounty programmes on open source software.
The EC bug bounties will reward software researchers who discover vulnerabilities in a range of free and open source software in use at the Commission. The amount of each award depends on the severity of the bug.
By using a bug bounty platform, the EC also wants to make sure that the critical open source software is tested for any potential vulnerabilities.
The 2017–2019 EU-FOSSA 2 project is an initiative of three Members of the European Parliament: Max Andersson, Julia Reda (Greens/EFA) and Marietje Schaake (ALDE). It is a follow-up to the first EU Free and Open Source Software Auditing project, which ran from 2015 to 2016.
The EC has signed three framework contracts with providers of bug bounty platforms. The providers, that have been awarded the contracts following a procurement procedure, are in a so-called cascade and are: (1) Intigriti, (2) HackerOne, and (3) Econocom and Yes We Hack.
The first EC open source bug bounty was organised in 2017 as a proof of concept, using a low value procedure. Bounties were awarded in January and February this year, and the pilot is considered successful.
The EU-FOSSA 2 project will also try out other methods to scrutinise and improve the security of open source software. One option would be to organise hackathons.
The open source software that is to be tested in the bug bounties will be selected from the ‘criticality metrics’ that were developed during the EU-FOSSA pilot project. The metrics assess the maturity of the software and the activity of the community supporting it.
For each piece of software, the criticality metrics consider its security, the number and nature of its users, and how widely it is implemented by the European institutions. One of the results of the EU-FOSSA project is an inventory of all open source software used at the European Commission. The EC expects to select some 20 open source software projects for the new bug bounties.
“Good collaboration with the community is key to define and run a successful bug bounty programme,” one of the EC project officers responsible for the EU-FOSSA 2 projects said. “That is what we demonstrated with our first bug bounty.”
EC contract award notice
EU-FOSSA 2 project
Julia Reda EU-FOSSA blog