Update (16 January 2019): More bug bounties become live, have a look at the full list below!

Update (10 January 2019): As some of you have already pointed out, the bounties haven’t been made public yet. I have been informed by the European Commission that the “start dates” they sent designate the start of the contract with the involved bug bounty platform, rather than the actual publication of the bounty. The publication date is found in collaboration with the software projects involved. Once they are ready, the bounties will be published. I will keep this blog post updated with more info as I receive it.

It’s been a while since I last wrote about the Free and Open Source Software Audit project, FOSSA, so let me start with a quick recap that you can safely skip if you’re already familiar with the project.

What happened so far

In 2014, security vulnerabilities were found in important Free Software projects. One of the issues was found in the Open Source encryption library OpenSSL. This type of software is called a library because it provides standard functions to a huge number of other softwares. And they subsequently suffered from the issue.

Since OpenSSL is also very important for the encryption of Internet traffic, it is also highly relevant to the protection of your personal communication, or your payment details when you’re shopping online.

The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure. Like many other organisations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things. But the Internet is not only crucial to our economy and our administration. It is the infrastructure that runs our every day lives. It is the means we use to retrieve information and to be politically active.

That is why my colleague Max Andersson and I started the Free and Open Source Software Audit project: FOSSA.

FOSSA

In 2015-2016, the first iteration of the FOSSA project, the European Commission, that runs the project for us, has created an inventory of what Free Software it relies on. It also analyzed how the software developers handle security in their projects. And finally, two projects (web server Apache and password manager KeePass) received a security audit.

FOSSA 2

In 2017, the project was extended for three more years. This time, we decided to go one step further and added the carrying out of Bug Bounties on important Free Software projects to the list of measures we wanted to put in place to increase the security of Free and Open Source Software.

We also planned a series of Hackathons that will allow software developers from within the EU institutions, and developers from Free Software projects, to work more closely together and to collaborate directly on their software.

FOSSA Bug Bounties

In January, the EU is launching bug bounties on Free Software projects to increase the security of the Internet!

Tweet this!

In January the European Commission is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on. A bug bounty is a prize for people who actively search for security issues. The amount of the bounty depends on the severity of the issue uncovered and the relative importance of the software. The software projects chosen were previously identified as candidates in the inventories and a public survey.

You can contribute to the projects below by analysing the software, and by submitting any bugs or vulnerabilities you find to the involved bug bounty platforms. Here is the list of Software projects and the bug bounties:

We will update this post as more, detailled information becomes available.

To the extent possible under law, the creator has waived all copyright and related or neighboring rights to this work.