The European Commission has launched a program that rewards bug detection in itsOpen Source projects that underpin its public services.
Bug bounty hunters can receive up to 5,000 EUR (equivalent to 5,600 USD) for finding security vulnerabilities in software open source software used throughout the European Union (EU), including LibreOffice, LEOS, Mastodon, Odoo and CryptPad. This program, led by the European bug bounty platform Intigriti, will also offer a 20% bonus if a code fix for the bugs is provided by the researchers.
In a statement released on January 19, the EC said it is seeking reports of security vulnerabilities such as personal data exposure, horizontal/vertical privilege escalation, and SQL injection. The highest reward will be paid for the detection of "exceptional vulnerabilities."
This latest program follows on from another program, called FOSSA, also from the EU, which paid out over $220,000 in its 18 months of operation, and was heralded as a "remarkable success."
Speaking to The Daily Swig, Inti De Ceukelaire, head of hackers at Intigriti, said that the partnership came about last year when Intigriti led a program funded by the EC's ISA2 program. "We are committed to further nurturing the relationship with the open source communities we have established over the past years," the Belgian tester noted. "I personally believe that all government agencies should have and encourage the use of vulnerability disclosure policies and introduce or adopt unambiguous laws to support vulnerability research. Bug bounties, among other crowdsourcing initiatives, are a great way to encourage this."
De Ceukelaire added: "Virtually every organization uses open source projects in one form or another. Identifying and resolving security vulnerabilities in these projects has an impact at scale. The Log4j incident showed us that supporting the security of widely used open source projects is an absolute necessity, so we can only applaud this initiative by the European Commission."
https://portswigger.net/daily-swig/european-commission-launches-new-open-source-software-bug-bounty-program
