Informatics
Informatics newsroom

Commission launches open source bug bounties

The European Commission has announced the awards for its innovative open source bug bounty programme. Software developers, who find security vulnerabilities in the selected open source software, will be awarded between EUR 3,000 and EUR 25,000 for critical bugs.  Additionally, 20% bonus will be offered for providing a fix for the detected vulnerability.

See the selected 15 open source software projects on EU-FOSSA page on JoinUp

After a successful pilot in December 2017, the Commission is now expanding the bug bounty programme to a select group of 15 open source software, which are widely used at the European institutions. Each software will be scrutinised by open source software hackers who will be rewarded varying cash prizes depending on the severity of the issue they uncover.

The bug bounty programme is a key component of EU-FOSSA 2, which is the second phase of a project run by the European Commission, to make open source software more secure. In 2016, as part of the first phase, the project created an inventory of open source software used at the Commission and carried out code reviews of two open source software, namely KeePass and Apache HTTP Server.

The EU-FOSSA 2 project, sponsored by MEPs Julia Reda, Marietje Schaake and Max Andersson, is also devoting efforts in a number of other areas that contribute to improved security of open source software.

For example, during 2019 the European Commission will arrange three hackathons, which aim to bring together in Brussels geographically distributed OSS communities to interact with each other and with open source developers working within the EU institutions. 

 

About EU-FOSSA 2

The EU FOSSA 2 project is managed by the European Commission's Directorate-General for Informatics (DIGIT). EU FOSSA 2 offers a systematic approach for the EU institutions to ensure that widely used critical software can be trusted. The project will help reinforce the contribution EU institutions make to ensure and maintain integrity and security of key open source software.