The European Commission is on the lookout for ways to improve the security of the software it uses. A recent innovation saw the launch of its first ever bug bounty programme for VLC, the popular open source media player. The programme is coordinated by the Directorate of Informatics (DIGIT).
Bug bounty programmes are used by companies and public institutions around the world to compensate and recognise individuals who find vulnerabilities in software products. The focus of the Commission's bug bounty programme is Open Source software; arising from the ''EU Free and Open Source Software Auditing'' project (EU-FOSSA), initiated by three Members of the European Parliament - Max Andersson, Julia Reda (both Greens/EFA) and Marietje Schaake (ALDE).
Between EUR 100 and EUR 3000 will be awarded for bugs found in VLC player, an open source software solution, installed on every workstation at the Commission. The programme is expected to run to end January 2018 or until the bounty budget is exhausted.
“Qualified security vulnerabilities will be rewarded based on severity and impact,” announced HackerOne, the company/platform commissioned to manage the bug bounty for VLC.
Which bugs will qualify for an award is at the discretion of the VLC team. Award amounts depend on the severity of the vulnerabilities found and will be calculated based on the industry standard Common Vulnerability Scoring System version 3.0. The programme is now open for everyone to participate.
The bug bounty has been made possible by the EUR 2.6 million EU-FOSSA 2, a follow-up project of the EU-FOSSA (Free and Open Source Software Audit) pilot project. Preparations for the VLC player bug bounty began in the summer of 2017, with HackerOne awarded the first contract in a negotiated procedure open to all interested companies. A call for tenders for further bug bounties will follow during the implementation of the EU-FOSSA 2 project in 2018-2019. Prior information notice can be found here.
The idea for the EU-FOSSA project came following the discovery of a serious vulnerability in the OpenSSL cryptographic library in April 2014. This open-source software library runs on thousands of servers worldwide. The issue, nicknamed Heartbleed, was easy to spot and solve yet nobody had checked the OpenSSL code. This incident highlighted the need for funding to security screen the vast number of open-source software projects. The urgency and importance is further underscored given that the use of open-source software is becoming a norm in major, critical infrastructures and is one of the pillars of modern digital economy and society at large.
MEPs from the Group of the Greens/EFA Julia Reda and Max Andersson proposed to address this problem by raising awareness within the EU Parliament and raising much needed funding to help the Commission audit open-source projects, for the shared benefit of EU citizens, companies and the European Union institutions themselves. So critical is this issue, that they view it as a candidate for permanent fully funded action within the EU. This action could make a huge difference in improving everyone's online security.
A pilot project was carried out during 2015-2016 by DG Informatics of the European Commission. It delivered studies, inventories of open source software and two code reviews: one of Apache HTTP Server Core and the second of KeePass. No major issues were found in these mature open source projects. The minor severity issues were quickly fixed. Dominik Reichl from KeePass said: "I think the EU-FOSSA project is a great idea. For KeePass, the project went well and has resulted in improvements."
The EU-FOSSA project contributed directly to the operational work at the Commission. Indeed, the positive audit result helped the decision to make KeePass available for installation to all Commission users.
The continuation of the EU-FOSSA initiative was approved by the European Parliament in December 2016 with the aim to additionally:
- finance bug bounties
- raise public awareness of the importance of software security
- choose the companies running these activities in an open call for tender
- organise a hackathon for selected open source communities
- conduct information campaigns around the software security
- achieve greater public visibility
Execution of the core of this project is planned to start around Q2/2018, due to the time necessary for a call for tender preparation, but work started immediately by conducting proof of concept projects in order to better understand the details on how bug bounties should be organised. The project team will also complete its inventory of open-source software used within the different EU institutions to identify candidates requiring security analysis.
European Parliament votes to extend Free Software security audits - blog post by Julia Reda