The European Union recently launched a bug bounty program for critical infrastructure projects, offering financial compensation to anyone who finds and reports a new security flaw.

The bug bounty is offered as part of FOSSA, the "Free and Open Source Software Audit" project. The FOSSA list includes two notable Java projects: Apache Tomcat and Kafka. Other projects, such as KeePass, are available now.

The bounty program is paying up to €25,000 for exceptional bugs with a total fund of approximately €851,000 payable to those who find the bugs. Participation is open worldwide for most projects, although some programs are private bounties. Full details are available through the European Commission bounty list.

Each project will patch any security issues located during the bounty period. Application developers using projects featured in FOSSA or other code, should apply basic Software Composition Analysis tools. Similar to the GitHub security graph alerts, developers can use tools such as Dependency Check, Dependabot, or Contrast Community Edition to monitor their projects for vulnerable components. Without this detection, developers may be left using vulnerable versions of these libraries after security issues have been patched.

Duo Security’s Fahmida Rashid has offered a counter-piece to FOSSA, "Open Source Software Needs Funding, Not Bug Bounty Programs." This analysis primarily calls out the role of unpaid maintainers with an existing backlog of unfixed issues. Without funds for open source maintenance, issues may simply be added to the backlog. In this end, FOSSA offers a possible 20% bonus for an accepted and committed fix. One startup, Tidelift, is helping to fund maintenance of open source projects with a similar financial amount.

A related recent financial analysis by Trail of Bits indicates that most participants engage in bug bounties as a side-hustle. Top performers specialize in select bugs and earn between $16,000 and $34,000 per year depending on the program. Bugcrowd’s statistics from 2019 indicate that the average time spent is between 6 to 10 hours per week, however this number may not align with what it takes to be a top performer.

Developers can participate in the FOSSA bounty programs by joining HackerOne and/or Intigriti/Deloitte to enter the bounty.

Other notable bug bounty programs include: