skip to main content
European Commission Logo
en English
Newsroom

Overview    News

Call for tender for bug bounty platform providers

The European Commission launches a public call for tenders seeking bug bounty platform providers for its EU-FOSSA 2 project. From 14 April 2018 until 24 May 2018 companies can apply to run the EU-FOSSA 2 bug bounties later this year.

Related topics

Informatics

date:  25/04/2018

Using the call for tenders, the Commission aims to select bug bounty platform providers to help find vulnerabilities in a wide range of free and open source software under the remit of the EUR 2.6 million EU-FOSSA 2 project.  Bug bounties are used by organisations to reward individuals who find security vulnerabilities, with awards depending on the severity of the issue uncovered.

The EU-FOSSA 2 project is an initiative of three Members of the European Parliament - Max Andersson, Julia Reda (Greens/EFA) and Marietje Schaake (ALDE). It aims to ensure the security of free and open source software used at the European institutions.

Call for tender specifications

EU-FOSSA 2 project space on Joinup

 

 

About the EU-FOSSA project

The idea of the EU-FOSSA project came following the discovery of a serious vulnerability in the OpenSSL cryptographic library in April 2014. The issue, nicknamed Heartbleed, was very easy to spot and solve yet nobody had checked the OpenSSL code. This incident highlighted the need for funding and security screening of the vast number of open-source software projects, some of which do not have a large organisation behind them. 

Julia Reda and Max Andersson, Members of the European Parliament from the Group of the Greens/EFA proposed to address this problem by raising awareness within the EU Parliament and raising much needed funding to help the Commission audit open-source projects.

A pilot project was carried out during 2015-2016 by DG Informatics of the European Commission. It delivered studies, inventories of open source software and two code reviews: one of Apache HTTP Server Core and the second of KeePass. No major issues were found in these mature open source projects. The minor severity issues were quickly fixed. 

 

EU-FOSSA 2

The continuation of the EU-FOSSA initiative was approved by the European Parliament in December 2016 with the aim to additionally:

  • finance bug bounties
  • raise public awareness of the importance of software security
  • choose the companies running these activities in an open call for tender
  • organise a hackathon for selected open source communities
  • conduct information campaigns around the software security
  • achieve greater public visibility

The project team will also complete its inventory of open-source software used within the different EU institutions to identify candidates requiring security analysis.