It’s been a while since I last wrote about the Free and Open Source Software Audit project, FOSSA , so let me start with a quick recap that you can safelyif you’re already familiar with the project.What happened so far
In 2014, security vulnerabilities were found in important Free Software projects. One of the issues was found in the Open Source encryption library OpenSSL . This type of software is called a library because it provides standard functions to a huge number of other softwares. And they subsequently suffered from the issue.
Since OpenSSL is also very important for the encryption of Internet traffic, it is also highly relevant to the protection of your personal communication, or your payment details when you’re shopping online.
The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure. Like many other organisations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things. But the Internet is not only crucial to our economy and our administration. It is the infrastructure that runs our every day lives. It is the means we use to retrieve information and to be politically active.
That is why my colleague Max Andersson and I started the Free and Open Source Software Audit project: FOSSA.FOSSA
In 2015-2016, the first iteration of the FOSSA project, the European Commission, that runs the project for us, has inventorized what Free Software it relies on. It also analyzed how the software developers handle security in their projects. And finally, two projects (web server Apache and password manager KeePass ) received a security audit .FOSSA 2
In 2017, the project was extended for three more years. This time, we decided to go one step further and added the carrying out of Bug Bounties on important Free Software projects to the list of measures we wanted to put in place to increase the security of Free and Open Source Software.
We also planned a series of Hackathons that will allow software developers from within the EU institutions, and developers from Free Software projects, to work more closely together and to collaborate directly on their software.FOSSA Bug Bounties
In January, the EU is launching bug bounties on Free Software projects to increase the security of the Internet!
In January the European Commission is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on. A bug bounty is a prize for people who actively search for security issues. The amount of the bounty depends on the severity of the issue uncovered and the relative importance of the software. The software projects chosen were previously identified as candidates in theinventories and apublic survey.
You can contribute to the projects below by analysing the software, and by submitting any bugs or vulnerabilities you find to the involved bug bounty platforms. Here is the list of Software projects and the bug bounties:Software Project Bug Bounty Amount (Euro) Start Date End Date Bug Bounty Platform Filezilla 58.000,00 07/01/2019 15/08/2019 HackerOne Apache Kafka 58.000,00 07/01/2019 15/08/2019 HackerOne Notepad++ 71.000,00 07/01/2019 15/08/2019 HackerOne PuTTY 90.000,00 07/01/2019 15/12/2019 HackerOne VLC Media Player 58.000,00 07/01/2019 15/08/2019 HackerOne FLUX TL 34.000,00 15/01/2019 15/10/2019 Intigriti/Deloitte KeePass 71.000,00 15/01/2019 31/07/2019 Intigriti/Deloitte 7-zip 58.000,00 30/01/2019 15/04/2020 Intigriti/Deloitte Digital Signature Services (DSS) 25.000,00 30/01/2019 15/10/2019 Intigriti/Deloitte Drupal 89.000,00 30/01/2019 15/10/2020 Intigriti/Deloitte GNU C Library (glibc) 45.000,00 30/01/2019 15/12/2019 Intigriti/Deloit