EUR 3,000 to EUR 25,000

Commission announces bug bounty awards

14/01/2019

The European Commission has announced the awards for its innovative open source bug bounty programme. Software developers who find security vulnerabilities in the selected open source software, will be awarded between EUR 3,000 and EUR 25,000 for critical bugs. Developers can also earn a 20% bonus, if they additionally provide a fix to the security vulnerability they find.

After a successful pilot in 2017, the Commission is now expanding the bug bounty programme to a select group of 15 open source software, which are widely used at the European institutions.

Through a call for tender process, three bug bounty platform providers were selected as offering the best price/quality ratio, working in a cascade; (i) Intigriti/Deloitte, (ii) HackerOne, and (iii) Econocom Digitial Security / Yes We Hack. The 15 selected open source software projects have been granted to the first two companies in the cascade, Intigriti/Deloitte and HackerOne. The table below shows further details about the bug bounties. Clicking the link on each software, will direct to the dedicated bug bounty platform page for that software, after it is publicly launched.

Platform

Program

Program type

Public live date

End date (foreseen, maximum)

Total contract amount

Top prize

Intigriti / Deloitte

KeePass

open

15/01/2019

31/07/2020

71,000.00 €

25,000.00 €

HackerOne

Notepad++

initially private

16/01/2019

15/08/2019

58,000.00 €

5,000.00 €

HackerOne

Filezilla

initially private

29/01/2019

15/08/2019

58,000.00 €

5,000.00 €

HackerOne

Apache Kafka

initially private

17/01/2019

15/08/2019

58,000.00 €

5,000.00 €

HackerOne

PuTTY

initially private

16/01/2019

15/12/2019

90,000.00 €

5,000.00 €

HackerOne

VLC

initially private

22/01/2019

15/08/2019

58,000.00 €

5,000.00 €

Intigriti / Deloitte

Apache Tomcat

open

30/01/2019

15/10/2019

39,000.00 €

10,000.00 €

Intigriti / Deloitte

PHP Symfony

open

30/01/2019

15/10/2019

39,000.00 €

15,000.00 €

Intigriti / Deloitte

WSO2

open

30/01/2019

15/04/2020

58,000.00 €

15,000.00 €

Intigriti / Deloitte

Drupal

open

28/01/2019

15/10/2020

89,000.00 €

15,000.00 €

Intigriti / Deloitte

7-zip

open

30/01/2019

15/04/2020

58,000.00 €

15,000.00 €

Intigriti / Deloitte

DSS

initially private

tbc

15/10/2019

25,000.00 €

5,000.00 €

Intigriti / Deloitte

FLUX TL

private

tbc

15/10/2019

34,000.00 €

10,000.00 €

Intigriti / Deloitte

glibc

open

30/01/2019

15/12/2019

45,000.00 €

10,000.00 €

HackerOne

midPoint

initially private

tbc

15/08/2019

58,000.00 €

3,000.00 €

Start and public go live dates vary according to the platform providers and the communities themselves, based on the platforms’ specific working methods, the readiness of the communities and contractual requirements. The table above will be updated, as dates become firm.

The EU-FOSSA 2 project, sponsored by MEPs Julia Reda, Marietje Schaake and Max Andersson, is also devoting efforts in a number of other areas that contribute to improved security of open source software developments.

For example, the project will host three Hackathons in 2019, each bringing together an OSS community, to solve specific security issues, and to foster collaboration with open source developers including those working at the EU institutions.

Shared in

The content of this field is kept private and will not be shown publicly.