Why is it important: The Internet is largely dependent on open source projects to survive, but these are often developed by hard-working and charitable developers, rather than well-paid employees. An unfortunate consequence of this is that developers simply do not get the time and resources they need to hunt for the vulnerabilities that are so pervasive in complex code.
The European Union has recognized this problem, and as part of their free and open source software audit (FOSSA), they have created a 15-application debugger. The amount ranges from $ 30,000 to $ 100,000 depending on the software in question and, of course, on the severity of the vulnerability detected.
In order of the most paying minimum, the software list includes: PuTTY, Drupal, Notepad ++, KeePass, Filezilla, Apache Kafka, VLC Media Player, 7-zip, WSO2, midpoint, GNU C library, PHP Symfony, Apache Tomcat and Flux TL.
FOSSA, and the introduction of these bug bounties comes via EU member Julia Reda. According to the blog post on bounties, FOSSA was launched as a direct result of vulnerabilities found in the OpenSSL library OpenSSL in 201
The problem made many people realize how important free and open source software is to the integrity and reliability of the Internet and other infrastructure . Like many other organizations, institutions such as the European Parliament, the Council and the Commission build on Free Software to run their websites and many other things.
But the Internet is not only crucial to our finances and our administration. It is the infrastructure that drives our everyday life. That's the way we use to retrieve information and be politically active. Therefore, my colleague Max Andersson and I started the Free and Open Source Software Audit project: FOSSA.
FOSSA launched phase one in 2015, where it conducted a public survey on what to revise. The results were Apache HTTP web servers and password manager KeePass, and they both revised them with a budget of $ 1.15 million in 2016. Phase two was launched last year, running a bug-bounty program on HackerOne for VLC Media Player app.
Phase Three was in planning this year and will officially shut down in January next year, as each of these bug debts goes live on Intigriti and HackerOne.