The EU-FOSSA 2 bug bounty program, which rewards hackers if they find critical bugs in open source software used by the EU institutions, started in January 2019. The number and criticality of the vulnerabilities uncovered have already surpassed expectations. Hackers have demonstrated great interest in the bug bounties, with over 300 submissions of vulnerabilities reports during the first two months. Each reported vulnerability was examined and then classified. If accepted by the community, the developers were remunerated accordingly. Over EUR 90.000 have been paid already and over EUR 130.000 are waiting for validation.
After three months, the initiative has received great acceptance and proven to be quite successful. Some programs are gathering so much attention that they may come to an anticipated end after having already exhausted the budget. However, the EU-FOSSA 2 project remains very active, with one bug bounties still to start in the next couple of weeks. Managed by the two platforms Intigrity/Deloitte and HackerOne, the bug bounty programmes have raised a lot of interest in the media, namely in the specialized tech channels, with over 115 news articles referring to the initiative (check this article by The Register).
The EU-FOSSA 2 project’s contribution to FOSS goes beyond bug bounties. The initiative is helping communities to fix vulnerabilities in a number of ways. For example, there is a 20% bonus prize money available for the developer who finds the vulnerability if the developer provides a fix. This is a great incentive for the hackers to contribute a solution, which will help the communities to address the vulnerabilities that are discovered.
Another way the EU FOSSA 2 project is contributing includes the organization of bug-fixing hackathons. The European Commission will be hosting three hackathons in 2019, the first of which took place on 6 and 7 of April. These aim to bring together in Brussels, geographically distributed open source software communities to interact with each other and with developers working within the EU institutions.
For more information on EU-FOSSA 2 and the list of ongoing bug bounties, visit the project page on JoinUp.
EU-FOSSA 2 in numbers so far:
- 309 reported bugs
- 130 valid vulnerabilities
- 11 critical or high severity bugs discovered
- 10.000 Euros + 20% fix – highest pay out
- 75 registrations for the 1st hackathon
- Publication date
- 5 April 2019
- Directorate-General for Informatics