The European Union is, once again, calling on bug hunters to delve into specific open source software and report bugs.
This time around, the list of software that should be probed for weaknesses includes:
“One criteria in selecting bug bounties was their use within European public services,” the European Commission Open Source Programme Office (EC OSPO) explained.
The bug bounties have been launched via the Intigriti bug bounty platform and the EC OSPO is providing a bounty fund of €200,000. Bug hunters can get as much as €5000 for “exceptional vulnerabilities”, and will receive a 20% bonus if they also provide a fully working fix that is merged into the software.
The rules of engagement and scope of each program differ. LEOS’, LibreOffice’s and Mastodon’s programs are already public.
This is not the first time that the EU is offering bounties for bugs found in popular open source solutions.
In 2015, the European Commission started the Free and Open Source Software Audit (EU-FOSSA) project, which carried out a security audit of the Apache web server and KeePass password manager.
The initial FOSSA project was extended for several years, and bug bounty programs for VLC Media Player and 14 other open source software were set up and several hackatons were carried out. EU-FOSSA 2 has come to an end in June 2020.
In January 2021, the UE Commission’s ISA² program launched three more open source bug bounty programs, focused on IM platform Element (Matrix), eLearning platform Moodle and email server solution Zimbra.