The EU-FOSSA 2 project bug bounty programme has been instrumental in discovering a host of bugs within open source software, including a 20 year old bug in PuTTY.
PuTTY is a remote session tool allowing users to create an interactive session and transfer files to/from remote systems. This vulnerability allowed attackers to execute code remotely and crash the client.
Found on 27 June 2019, it was publicly disclosed on 20 September, after a fix had been implemented in the software. The ethical hacker who reported the vulnerability was rewarded €3,250 from the EU-FOSSA 2 bug bounty programme, and received congratulations from the PuTTY team, who confirmed that the bug had been in the source code since 1999, the very beginning of the project.
Fulfilling its mission
The EU-FOSSA initiative, set up in the wake of the Heartbleed bug in 2014, was aiming to find precisely such hidden bugs. Both the PuTTY bug and Heartbleed demonstrate vulnerabilities in widely used open-source tools for setting up secure remote sessions. sPuTTY and OpenSSL share is the implementation of many complex Internet protocols and applied cryptography.
Finding and fixing
The EU-FOSSA 2 bug bounty programme targeted 15 open-source programs: 7-Zip, Apache Kafka, Apache Tomcat, Drupal, DSS, FileZilla, FluxTL, Glibc, KeePass, Midpoint, Notepad++, PHP Symfony, PuTTY, VLC and WSO2.
To date over 600 bugs have been reported, close to 200 accepted with 26 being classified as high or critical. Ethical hackers who found and fixed these bugs have collectively received almost €200k in rewards. Some bug bounties are still running and more vulnerabilities may yet be found and fixed.
About EU-FOSSA 2
EU-FOSSA 2 project aims to improve the security and integrity of critical open source software in use at the European institutions. Following the success of an initial pilot, the project was renewed for another three years, extending the auditing of free and open source software through setting up bug bounty programmes, organising hackathons and conferences, and engaging with developer communities.
You can read more about EU-FOSSA 2 here.
11 December 2019