Permanent fixture

Pilot a success: Commission to start larger bug bounty

08/02/2018

Following the success of its first open source bug bounty, the European Commission is preparing a second, larger project. As well as paying software hackers to uncover bugs, the EC is also considering a hackathon to bring together software developers working on the open source tools used in European institutions.

The ultimate goal is to ensure that the EU makes a permanent investment of time and effort to improve the security of open source software.

The outcome of the EC’s first ever bug bounty was announced at Fosdem, Europe’s largest conference for open source software developers, which took place in Brussels last weekend.

In the past two months the EC has paid out five bounties for security issues found in VLC Media Player. Organised by the HackerOne bug bounty platform, the largest amount - USD 1,000 - was awarded for the discovery of a “medium” vulnerability. In total, 28 hackers participated. VLC, a popular open source application, had been chosen for the bug hunt on the basis of a public poll in 2016.

A slide from the Fosdem presentation: most of the bug bounty participants (15 of 28) were based in Asia. Europe came next, with 7 participants.
A slide from the Fosdem presentation: most of the bug bounty participants (15 of 28) were based in Asia. Europe came next, with 7 participants.

EU-Fossa 1 & 2

The European Commission also wants to try out several other methods of scrutinising the security of open source software used at the European institutions. The 2017-2019 project, entitled EU-Free and Open Source Software Auditing (EU-Fossa 2), has a budget of EUR 2.6 million, of which EUR 1.6 million is to be used for bug bounties. The project, an initiative of the European Parliament, is a follow-up to the 2015-2016 EU-Fossa programme.

More information:

EU-Fossa presentation at Fosdem 2018
OSOR news item on the VLC hackathon
EU-Fossa and EU-Fossa 2 project

Shared in

The content of this field is kept private and will not be shown publicly.