EU Offers Big Bug Bounties On 14 Open Source Software Projects (juliareda.eu) 78
Julia Reda is a member of Germany's Pirate Party, a member of the European Parliament, and the Vice-President of The Greens-European Free Alliance.
Thursday her official web site announced: In 2014, security vulnerabilities were found in important Free Software projects. One of the issues was found in the Open Source encryption library OpenSSL.... The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure.... That is why my colleague Max Andersson and I started the Free and Open Source Software Audit project: FOSSA... In 2017, the project was extended for three more years. This time, we decided to go one step further and added the carrying out of Bug Bounties on important Free Software projects to the list of measures we wanted to put in place to increase the security of Free and Open Source Software...
In January the European Commission is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on.
The bounties start at 25.000,00 € -- about $29,000 USD -- rising as high as 90.000,00 € ($103,000). "The amount of the bounty depends on the severity of the issue uncovered and the relative importance of the software," Reda writes.
Click through for a list of the software projects for which bug bounties will be offered.
Thursday her official web site announced: In 2014, security vulnerabilities were found in important Free Software projects. One of the issues was found in the Open Source encryption library OpenSSL.... The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure.... That is why my colleague Max Andersson and I started the Free and Open Source Software Audit project: FOSSA... In 2017, the project was extended for three more years. This time, we decided to go one step further and added the carrying out of Bug Bounties on important Free Software projects to the list of measures we wanted to put in place to increase the security of Free and Open Source Software...
In January the European Commission is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on.
The bounties start at 25.000,00 € -- about $29,000 USD -- rising as high as 90.000,00 € ($103,000). "The amount of the bounty depends on the severity of the issue uncovered and the relative importance of the software," Reda writes.
Click through for a list of the software projects for which bug bounties will be offered.
- Filezilla
- Apache Kafka
- Notepad++
- PuTTY
- VLC Media Player
- FLUX TL
- KeePass
- 7-zip
- Digital Signature Services (DSS)
- Drupal
- GNU C Library (glibc)
- PHP Symfony
- Apache Tomcat
- WSO2
More projects needed (Score:4, Insightful)
I applaud the EU for their efforts!!!
Re: More projects needed (Score:1)
Re: (Score:3, Informative)
See:
https://juliareda.eu/2018/12/eu-fossa-bug-bounties/
and from there:
https://www.intigriti.com/public/
and
https://www.hackerone.com/
Re: (Score:1)
With all the EU projects spending more EU tax payers money on "free" stuff that extra money for the gov is getting difficult to extract.
Re: More projects needed (Score:1)
Free as I libre, it beer
Filezilla and Notepad++ are important. (Score:3, Informative)
Notepad++ [notepad-plus-plus.org] is used for fundamental work, like programming and checking the validity of HTML and organizing HTML web pages. (See the Tidy2 plugin.)
See the list of Notepad++ plugins. [notepad-plus-plus.org]
Re: (Score:3)
Why Yet Another Crypto Library instead of a more widely used one?
If you're referring to DSS then they probably mean that the bug bounty applies to the esig [github.com] library or the standard [oasis-open.org] it is based on. It's a convenient tool for applying and verifying EU-compliant [wikipedia.org] document signatures (PDF, XML, ASiC) throughout EU institutions.
A contrived use case could be that you want to sign a legally binding contract with a Spanish bank to own a summer house, but you authenticate yourself with your Finnish bank, and the Spanish bank has outsourced the signing service to a company located i
Re:Choice? (Score:5, Insightful)
Why Filezilla, a client for a dying technology? Why Notepad++
Because EU institutions rely on them.
The bounties are for the software they actually use.
If you think they should be using something else, that is a different issue. Good luck getting an entrenched bureaucracy to change their workflow to fit your whims.
Re:Choice? (Score:5, Interesting)
Why Filezilla, a client for a dying technology?
Who says FTP is a dying technology? It serves a useful purpose. On occasion I need to download virtual machine images around 90GB in size, or larger. Filezilla + FTP is a very robust transport method. Trying to do this over HTTP will frequently run for hours (or days) and require starting over if an error occurs. FTP is also preferable to torrenting for this, since it doesn't require simultaneous uploading and lots of peers downloading the same image.
Re: Choice? (Score:1)
Sorry as pointed out during the recent US elections, using FTP to distribute data is insecure and legacy. HTTPS is superior because it has encryption.
Re: (Score:2)
Is distributing data the only use case for FTP, or can it also be used to transfer data that isn't being distributed?
Re: (Score:2)
Sorry as pointed out during the recent US elections, using FTP to distribute data is insecure and legacy. HTTPS is superior because it has encryption.
It's not a superior transport mechanism. I'm talking about file transfers that can take hours or even days to complete. In my experience HTTP/HTTPS frequently fails on very large file transfers without any retry functionality. If encryption is a requirement, I can encrypt my files prior to transporting them.
Re: (Score:1)
FTP has been supporting encryption for ages. I have set up a Linux box running vsftpd with strong encryption for my employer about six years ago. Just create a self signed certificate or buy one if needed. Configure ten seconds wait time after unsuccessful login attempt to get rid of 99.9% of hackers/bots. Still running flawlessly, and never got an intrusion on this machine. Only complaints from users are when contacts from other companies cannot access our server because their firewall rules disallow FTP.
F
Re: (Score:2)
I find that running an FTP server on a tablet or phone is often the easiest way to get files onto a networked computer that isn't set up to share files over the network.
For example, some sort of machine like a laser printer or CNC that has a windows computer as the interface. Maybe it only has a USB port to accept files, but it is connected to the shop's wifi. No problem, I can just run cmd and then ftp from the command line!
It isn't dying, because the commands already exist and don't require any new integr
Re: Choice? (Score:2)
Re:And who is going to pay for all the updates? (Score:5, Insightful)
Re:And who is going to pay for all the updates? (Score:5, Insightful)
And who is going to pay for all the resulting updates?
European taxpayers will pay for it.
The reasoning is that paying for bug fixes will likely be cheaper than paying for security breaches.
I lean libertarian, yet even I see this as a good use of taxpayer euros. The bug fixes help everyone, and they are leveraging the profit motive of the private sector to make it happen.
Disclaimer: I am not a European taxpayer.
Re: (Score:2)
Someone above mentioned funding for maintainers. That would be a hell of a lot more productive
No, unconditional funding is a terrible idea. It would quickly turn into yet another entitlement.
Paying for finding/fixing actual bugs means money is only paid for performance.
Incentives need to be aligned with objectives. If you want bug fixes, you pay for bug fixes, not for "effort".
Why pay for $100,000s for bugs (Score:2)
When instead you can pay $100,000,000s for a software security surveillance department within the military?
Re: (Score:2)
Payment only when serious deficiencies are found. (Score:3)
Julia Reda rocks! (Score:5, Insightful)
It's one of those few politicians who grok IT and software and know what matters, instead of swallowing all the nonsense lobbies throw at them.
I've heard a couple of talks by her and really wish we had a couple more like her.
Re: Hypocricy (Score:2)
Yep I absolutely want someone straight out of university "fixing" OpenSSL.
Re: (Score:2)
Computers don't care who typed code it, it runs the same regardless of what letters are next to a person's name, or how long their letters have been carefully aged.
No need for scare-quotes around the word fixed, it is a bug bounty not some sort of contract to attempt to fix bugs. If they didn't fix it, they won't get paid.
Re: Hypocricy (Score:2)
So you'd be happy with a developer with zero experience working on a complex crypto library. You must be an IT manager.
Re: (Score:2)
So you'd be happy with a woozle wurt and bleeble blazzer? What?
I didn't say anything like that, man. Just because you didn't understand the words, doesn't mean I was providing you a Mad Libs. Instead of replacing the words you didn't understand, just look them up.
Re: (Score:1)
openssl had 10 severe vulnerabilities caused by those "senior" programmers.
You don't get my point anyway.
If you want certified or "safe" s/w, you're off to corporate s/w(a.k.a. closed source). OSS comes with this(example from GPL):
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM âoeAS ISâ WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT
Re: (Score:2, Insightful)
So, your argument is: if you want secure software, you have to buy 'corporate software', because open source software comes with a disclaimer?
I can only assume you have never read the fine print of corporate software.
Re: (Score:2)
My advice, do a web search for "printing money" and find out what it means when economists use that term.
Because it doesn't mean, "they spent money in a way I didn't approve of." And it isn't even close to that.
Re: (Score:1)
>implying
Pay for Maintainers (Score:4, Interesting)
If you are identifying problems (bugs) you should also offer solutions (funding).
Re: Pay for Maintainers (Score:1)
Well som bugs ar hatd to find, these bounties are just there to give the devs a resnable chance of getting to hear about bugs before exploits are sold to black-hats, I donâ(TM)t know about you, but bersonaly I thing that is a good thing.
Re: (Score:1)
Re: (Score:2)
2. You can't tax people that don't have anything. That's just common sense.
3. Consider yourself lucky that someone creates usable software and provides it freely to others including selfish people who don't appreciate its value or the effort that went into its creation.
Happy New Year!
Re: (Score:2)
Why Drupal and not WordPress? (Score:1)
It seems strange that Drupal with 3.5% market share (globally across both public and private sector) of CMS'es is on the list and yet WordPress, which is the most dominant CMS by far, isn't on the list despite having 59.7% CMS market share (figures from W3Techs [w3techs.com]).
Maybe the European public sector uses Drupal more than WordPress (I have no specific figures on that), but I seriously doubt it considering the 17:1 worldwide usage disparity. Or is Drupal considered less secure than WordPress and needs more fixes?
Re: (Score:2)
WordPress can hardly be considered a CMS, it is a blogging software, thats all.
Re: (Score:2)
One reason many prefer Drupal is that it is multilingual, while most other CMS are not. Multilinguality is a feature needed by many european administrations. (I do not use Drupal, but I know the problems Joomla or Wordpress have with mutilingual plugins)
PVS-Studio and Bug Bounties (Score:1)
I'm going to write me a minivan (Score:2)
I must be getting old, no-one else thinks of this when they hear "bug bounty"?
https://dilbert.com/strip/1995... [dilbert.com]