The EU are have announced that the European Commission is working in partnership with HackerOne and Intigriti to launch a bug bounty program. This will be part of the Free and Open Source Roftware Audit (FOSSA).
Bug Bounty for 15 Open Source Projects
The third edition of FOSSA will include 15 software programs. These are 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, MidPoint, Notepad++, PHP Symfony, PuTTY, VLC Media Player and WSO2. This is according to EU Parliament member Julia Reda.
Reda, who has written in detail about the security risks in Open SSL, worked with colleague Max Anderson in 2015 to launch the FOSSA project, which is currently moving into its third phase. The first 14 bug bounty projects are set to begin this month, with the final project beginning in March.
Bringing Hackers Together
Bug bounty programs call upon the hacker community to join forces and search for vulnerabilities. However, applying the crowdsourced concept to open source comes with a range of unexpected challenges, according to Tim Mackey, senior technical evangelist at Black Duck by Synopsys.
“Since bug bounty programs favour the discovery of issues with an implicit assumption resource exist to resolve found issues, any security issue disclosed in public leaves users vulnerable until a fix is found.
“Once a fix is created, that fix needs to be delivered to users. This is by far the most significant hurdle for bug bounty–based efforts in FOSS. The core challenge is an assumption valid only with commercial software – [that] there is a single release stream to upgrade. As the FOSS community knows very well, branches of releases are very common, and it may be difficult to apply a fix from one branch to another.”
Despite Mackey applauding the EU for creating the bug bounty program, he argued that it is just as important to consider the funding for developers and security professionals to work with the communities that create their target applications.
“That way not only are issues being discovered, but the overall process can be improved while addressing any issues uncovered. It should be noted that the target projects represent a very small percentage of open source projects and that while these are obviously critical projects for the EU, it would be worthwhile for the EU to investigate expanding this effort.”
In a December 28, 2018, tweet, Reda expressed the same sentiment. “That would indeed be better, but the @EU_Commission can’t just dish out money to developers who haven’t gone through an onerous public tender process that favours large consultancies that specialize in bidding for tenders rather than Drupal development.”
Setting a New Standard
However, this project is unique when compared to other bug bounties. Bug hunters earn a bonus for remediating the vulnerability by providing a valid fix, according to Laurie Mercer, a security engineer at HackerOne. “For decades the European Commission has supported and encouraged the collaborative development and re-use of publicly-financed open source software.
“This new project, part of the EU-Free and Open Source Software Auditing (EU-FOSSA) project, is designed to improve the security of free software by offering bug bounties to anyone who can discover security vulnerabilities in commonly used packages. Under the terms of Responsible Disclosure, no bugs will be publicly disclosed until they have been patched. This is in line with existing projects run by open source communities like node.JS and Apache.”
Join us for GOVSEC UK
Securing critical information and assets, including the government’s ICT infrastructure, is essential for the purpose of protecting against cyber-attacks, as well as other security threats. Whitehall Media’s 6th annual GovSec conference aims to allow the government to function effectively and safely via improved IT and information security. Join us as we explore how public sector organisations and professionals can make sense of securing their functions in a rapidly changing environment.