Bug bounty tender for open source software launched in the EU

Marietje

In the aftermath of the Heartbleed crisis the European Parliament set aside 1.9 million euro´s in the EU Budget in order to improve the EU's IT infrastructure. It did this by extending the free software audit program (FOSSA) that MEPs Max Anderson and Julia Reda initiated, and by including a bug bounty approach in the program through a pilot project I worked on.

The Commission has now launched a call for tenders to implement that bug bounty project. Companies that are interested to provide open source software audits via bug bounties for the EU Institutions can provide their tenders until the 29th of May by 10.30 Brussels time.  

As the Commission says:

The purpose of a "bug bounty" activity is to ensure that the Commission uses open source software projects or libraries that have been properly screened for potential vulnerabilities. In addition, by publishing the results of the bounties and code reviews, this call for tenders will, indirectly, benefit all users of open source software and contribute thus to goals of the EU programmes EU FOSSA..  

Bug bounty programs are used by companies and public institutions around the world to compensate and recognise individuals who find vulnerabilities in software products.  

While commercial companies increasingly offer rewards for information security researchers (“hackers”) that discover critical flaws, there are not many similar opportunities for open source software projects. This new project allows the Commission to provide these bug bounties, focusing on open source software projects and libraries used by the European institutions.  

Since the Commission never organised a large bug bounty program before, it ran a small successful pilot last year  to find bugs in the VLC-player, a popular and open source software solution that is included on every workstation at the Commission. The outcome of this mini bug bounty program was announced at Fosdem, Europe’s largest conference for open source software developers. Now the Commission is ready to spend 1.2 million euros to the bug bounty project in the coming two years. All details you can find here.

In a later stage the Commission will also organise hackathons to bring together software developers working on the open source tools used in European institutions. The ultimate goal is to ensure that the EU makes a permanent investment of time and effort to improve the security of open source software.