The Berlaymont building, headquarters of the European Commission in Brussels, in June 2015. Photo: Fred Romero / Wikimedia Commons / CC by
The European Commission announced this week to launch a new “bug bounty” program for free software. The bug hunting bounty program, opened on January 13 on the Intigriti platform, offers rewards of up to 5,000 euros “for finding security vulnerabilities in LibreOffice, LEOS, Mastodon, Odoo and CryptPad, open solutions source used by public services throughout the European Union. There is a 20% bonus for providing a code fix for bugs they find.”
A 20% bonus for the fix
The European Commission’s Open Source Program Office (EC OSPO) has budgeted a total of 200,000 euros “to focus again on the security of open source software widely used by public services”.
A new set of bug bounties launched on January 13 using the Intigriti bug bounty platform. In total, an amount of 200,000 euros has been funded by the European Commission’s Open Source Program Office (EC OSPO) to focus again on the security of open source software widely used by public services.
“Researchers are called upon to find security vulnerabilities such as personal data leaks, horizontal/vertical escalation of privileges [une définition là] and SQL injection. The highest reward will be 5,000 Euros for exceptional vulnerabilities and a 20% bonus if the patch is also provided.”
One of the selection criteria for the bonuses was the use within the European public services. In addition to LibreOffice, Mastodon, Odoo and Cryptpad, which “amply fulfilled this criterion and were therefore selected”, OSPO decided to select LEOS, “a legal editor used by the European Commission, Parliament, Council and several Member States “.
70 important bugs discovered during the previous program
The scale of the bonuses offered is as follows (see for Mastodon for example): 250 euros for a small bug, 1,000 for a medium bug, 2,500 for a major flaw, 4,000 “critical” and 5,000 if the bug discovered is “exceptional” .
In 2019, the European Commission launched a first bug hunting program for 15 free projects, such as Drupal, Keepass, FileZilla and VLC Media Player, with bonuses ranging from 25,000 to 90,000 euros.
The Commission indicated at the end of this first program, in mid-2020, that it had paid a total of more than 200,000 euros divided into 15 bonuses, for the discovery of more than 200 bugs, including 70 of high or critical severity. A vulnerability in the PuTTY terminal emulator had gone unnoticed for 20 years, said the Brussels institution.
Read also
ZD Tech: Bug bounty, paid to hack – January 11, 2022
Open source projects to share for European public services – 11 January 2022
HackerOne Hosts Internet Bug Bounty Project to Secure Open Source – September 21, 2021
The Commission sets itself a digital compass for the next decade – 10 March 2021
The European Union funds bug hunting in 15 free software – December 30, 2018