From Monday 7 January the European Commission (EC) will start paying out bug bounties to security researchers who find vulnerabilities in 14 open source projects.
The funding pot is part of the EU Free and Open Source Software Audit (FOSSA) project, overseen by the EC’s Directorate General of Informatics (DIGIT).
The bounty programmes, run on the HackerOne and Intigriti platforms, cover open source software (OSS) used in European infrastructure, including streaming software Apache Kafka, content management framework Drupal and puTTY; a free SSH and telnet client for Windows.
But the project has not been without its critics, who have warned it will place a growing workload on volunteer-led projects, potentially alienating code maintainers who will see little personal benefit as a result.
EU Open Source Bug Bounties
Reda, who started the FOSSA project in 2014 commented: “The Internet is built on Free and Open Source Software. It is part of our every day lives. Therefore the European Commission and public administrations in general have a responsibility to ensure its stability, reliability and security – by investing in it.”
The germination of the idea began in 2014 when security vulnerabilities were discovered within the Open Source library OpenSSL; this library underpinned several other projects used by the EU and the vulnerabilities caused numerous issues.
A bug bounty is a payment to a group or individual who has discovered a vulnerability within a system or software, they receive remuneration for their finding by reporting it to the developers in question, most corporations such as Microsoft have systems in place to facilitate the reporting of bugs.
With regards to the EU bug bounty, people wishing to disclose their findings are being directed to the bug bounty platform Hackerone and Intigriti. Below is the full list of open source projects involved and the total amount the EU has allocated to each project.
Not everyone has agreed that as it stands now the EU bug bounty is an outright good idea, most notably Katie Moussouris, founder and CEO of Luta Security.
She noted that the EC has not assigned any additional funding which could be used to pay those who will have to fix any vulnerabilities, that are discovered as part of the upcoming round of bounty hunting, placing an additional workload on often volunteer-led OSS projects.
I disagree that it's a good thing on its own.
Where is the money for more paid maintainers?
It's not there.
A #bugbounty on open source projects that don't get any funding for additional maintainers is likely to decimate the volunteer maintainer labor pipeline of the future https://t.co/1YgwDNeFXM
— Katie 🎊 Moussouris (she/her) (@k8em0) December 28, 2018
However, Julia Reda responded that the EC does not currently have a clear way to reward developers of open source projects that it uses, as in many case it is unclear who you would actually have to pay.
Open Source Security Expert Josh Bressers noted in a blog: “In some cases like the Apache Software Foundation it’s quite clear. In other cases when it’s some person who publishes a library for fun, it’s not clear at all. It may even be illegal in some cases, sending money across borders can get complicated very quickly.”
He believes that the EU is doing the only thing that it can do at the moment, it has money as he says to “throw at the problem,” yet the only place they can currently throw it is into the bug bounty initiative.
One commentator has suggested that the EU have open source developers register as part-time self-employed workers, meaning the EU could pay them directly, but Julia Reda quickly pointed out that due to EU public procurement rules this would not work and that Josh Bresser’s suggestion of a ‘’framework that lets different groups fund open source projects’’ is the right direction.
No. The EU wouldn’t be able to pay them directly due to public procurement rules. The article is precisely right about what would be needed to make this happen.
— Felix Reda (@Senficon) January 3, 2019
One thing is clear and widely agreed on, if bug bounties remain the only way that the EU or others engage and pay for open source projects then some projects will eventually struggle under the weight of an increased workload. One critic noted that
Paul Farrington, Director of EMEA and APJ at Veracode said in an emailed comment: “In the open source arena, it’s a common misconception that somebody else in the community is looking for the security defect… In our 2018 State of Software Security Report, we’ve found that 87.5% of Java applications contain at least one open source library with vulnerabilities included.
He added: “Some of the projects in scope for the EU testing, today rely on other open source projects that are already known to have vulnerabilities associated with them. A simple ‘software composition analysis’ scan of these projects, would reveal the use of such insecure libraries. There’s much that could be done to improve the general hygiene of software development using modern scan automation.”