EU launches bug bounty programs for five open source solutions
The European Union is, once again, calling on bug hunters to delve into specific open source software and report bugs.
This time around, the list of software that should be probed for weaknesses includes:
- LibreOffice – a free office suite
- Mastodon – free and open-source software for running self-hosted social networking services
- Odoo – a suite of business management software
- Cryptpad – a browser-based encrypted open-source collaboration platform that allows people to work together online on documents, spreadsheets, and other types of documents
- LEOS is a software tool for drafting and editing legislation, which is used by European Commission, Parliament, Council and several member states
About the bug bounty programs
“One criteria in selecting bug bounties was their use within European public services,” the European Commission Open Source Programme Office (EC OSPO) explained.
The bug bounties have been launched via the Intigriti bug bounty platform and the EC OSPO is providing a bounty fund of €200,000. Bug hunters can get as much as €5000 for “exceptional vulnerabilities”, and will receive a 20% bonus if they also provide a fully working fix that is merged into the software.
The rules of engagement and scope of each program differ. LEOS’, LibreOffice’s and Mastodon’s programs are already public.
Bug bounties for vulnerabilities in open source
This is not the first time that the EU is offering bounties for bugs found in popular open source solutions.
In 2015, the European Commission started the Free and Open Source Software Audit (EU-FOSSA) project, which carried out a security audit of the Apache web server and KeePass password manager.
The initial FOSSA project was extended for several years, and bug bounty programs for VLC Media Player and 14 other open source software were set up and several hackatons were carried out. EU-FOSSA 2 has come to an end in June 2020.
In January 2021, the EU Commission’s ISA² program launched three more open source bug bounty programs, focused on IM platform Element (Matrix), eLearning platform Moodle and email server solution Zimbra.