Following the success of its first open source bug bounty, the European Commission is preparing a second, larger project. As well as paying software hackers to uncover bugs, the EC is also considering a hackathon to bring together software developers working on the open source tools used in European institutions.

The ultimate goal is to ensure that the EU makes a permanent investment of time and effort to improve the security of open source software.

The outcome of the EC’s first ever bug bounty was announced at Fosdem, Europe’s largest conference for open source software developers, which took place in Brussels last weekend.

In the past two months the EC has paid out five bounties for security issues found in VLC Media Player. Organised by the HackerOne bug bounty platform, the largest amount - USD 1,000 - was awarded for the discovery of a “medium” vulnerability. In total, 28 hackers participated. VLC, a popular open source application, had been chosen for the bug hunt on the basis of a public poll in 2016.

EU-Fossa 1 & 2

The European Commission also wants to try out several other methods of scrutinising the security of open source software used at the European institutions. The 2017-2019 project, entitled EU-Free and Open Source Software Auditing (EU-Fossa 2), has a budget of EUR 2.6 million, of which EUR 1.6 million is to be used for bug bounties. The project, an initiative of the European Parliament, is a follow-up to the 2015-2016 EU-Fossa programme.

More information:

EU-Fossa presentation at Fosdem 2018
OSOR news item on the VLC hackathon
EU-Fossa and EU-Fossa 2 project