The European Commission has launched its first ever bug bounty. It will award between EUR 100 and EUR 3000 for bugs found in VLC media player. The programme will run until the first weeks of January or until the bounty budget is exhausted.
Which bugs will qualify for an award is at the discretion of the VLC team, according to the announcement by HackerOne, a commercial bug bounty platform. “Qualified security vulnerabilities will be rewarded based on severity and impact,” HackerOne says.
In the first phase, the programme will invite hackers with previous experience on the HackerOne platform to participate. After three weeks, the programme will be opened to everyone.
The bug bounty has been made possible by the European Parliament. Late last year, the EP voted for a EUR 2 million follow-up to the free and open source software security audit EU-Fossa project. This new pilot project allows the Commission to organise provide bug bounties, focusing on open source software projects and libraries used by the European institutions. VLC, a popular and open source software solution, is included on every workstation at the Commission.
Preparations for this first ever EC bug bounty began this summer, when HackerOne was awarded the first contract.
According to sources at the Commission, the VLC team welcomes the inclusion of their software in the Bug Bounty programme, as they are preparing to release version 3 of the popular open source video player.