End of the EU-FOSSA 2 Bug Bounty Program for Open Source Software
By Anna Hammond
July 30, 2020
In January of 2019, Intigriti, in collaboration with European Commission (DIGIT) and Deloitte, announced the start of an exciting cyber security challenge in Europe: the EU-FOSSA 2 bug bounty program. As part of this program, the European Commission launched 15 bug bounties on Free Open Source Software projects that the EU institutions rely on.
Today, this hunt for vulnerabilities in order to make the selected EU-FOSSA programs more secure has come to an end. The EU-FOSSA 2 project was closed on June 2, 2020, with compliments from Members of European Parliament for its positive impact on the European free and open source software ecosystem. The program also attracted positive attention from the general public and media.
Both Intigriti and Deloitte took part in the EU-FOSSA 2 project and were together responsible for the follow-up of 9 programs : 7-ZIP, DSS, KeePass, Apache Tomcat, Drupal, glbic, PHP Symfony, WSO2, FluxTL.
Within those programs, our ethical hackers found 249 bugs, of which 57 were accepted and 33 were regarded as critical or high in nature. We paid € 111.470 in total as bug bounty payments with the largest of these amounting to € 10 000. Several solutions were provided by the reporter and accepted by the open source teams, resulting in a 20% bonus for the reporter.
These bug bounties were part of a broader effort from the European Commission to engage with the FOSS community and to increase the general visibility of open source software used by the European institutions. The EU-FOSSA 2 project encompassed multiple other initiatives, in addition to bug bounties, including:
An inventory of the open source software in use at EU institutions.
Three hackathons with open source developers.
Two studies (one on the latest trends in open source within public administrations worldwide, the other on requirements of future open source projects relating to licencing and IT support).
The results have contributed to the upcoming new Open Source Strategy of the European Commission, and to improve the security of the most critical open source software used at EU institutions. As Andrus Ansip, MEP, said:
“[…] we were able to identify hundreds of vulnerabilities, and it was much more efficient for the open source software community, rather than having individuals dealing with those alone”.
We are honoured to have been a part of this and looking forward to new challenges in the future.
For more details visit https://ec.europa.eu/info/news/eu-fossa-2-eus-open-source-cybersecurity-project-ends-2020-jul-14_en.
You may also like
Monzo is launching its public bug bounty program, a strategic step to bolster online security. With a keen focus on user safety, this initiative aims to identify and rectify digital vulnerabilities. This move not only highlights Monzo’s dedication to security but also promises to enhance the trust a
January 22, 2024
Exploring Bühler’s strategic collaboration with Intigriti
Before collaborating with Intigriti, Bühler faced a common yet complex challenge: enhancing the effectiveness of their Vulnerability Disclosure Program (VDP). Having already been established for two years, the program was struggling under the weight of inefficiency and was largely overrun with low-q
Smart Pension, one of the fastest-growing financial technology companies in the UK, is launching its Vulnerability Disclosure Program (VDP). Ever since Smart Pension’s launch in 2014, they’ve been committed to improving lives for employers and savers in the UK. Founded by Andrew Evans and Will Wynne