In January of 2019, Intigriti, in collaboration with European Commission (DIGIT) and Deloitte, announced the start of an exciting cyber security challenge in Europe: the EU-FOSSA 2 bug bounty program. As part of this program, the European Commission launched 15 bug bounties on Free Open Source Software projects that the EU institutions rely on.
Today, this hunt for vulnerabilities in order to make the selected EU-FOSSA programs more secure has come to an end. The EU-FOSSA 2 project was closed on June 2, 2020, with compliments from Members of European Parliament for its positive impact on the European free and open source software ecosystem. The program also attracted positive attention from the general public and media.
Both Intigriti and Deloitte took part in the EU-FOSSA 2 project and were together responsible for the follow-up of 9 programs : 7-ZIP, DSS, KeePass, Apache Tomcat, Drupal, glbic, PHP Symfony, WSO2, FluxTL.
Within those programs, our ethical hackers found 249 bugs, of which 57 were accepted and 33 were regarded as critical or high in nature. We paid € 111.470 in total as bug bounty payments with the largest of these amounting to € 10 000. Several solutions were provided by the reporter and accepted by the open source teams, resulting in a 20% bonus for the reporter.
These bug bounties were part of a broader effort from the European Commission to engage with the FOSS community and to increase the general visibility of open source software used by the European institutions. The EU-FOSSA 2 project encompassed multiple other initiatives, in addition to bug bounties, including:
- An inventory of the open source software in use at EU institutions.
- Three hackathons with open source developers.
- Two studies (one on the latest trends in open source within public administrations worldwide, the other on requirements of future open source projects relating to licencing and IT support).
The results have contributed to the upcoming new Open Source Strategy of the European Commission, and to improve the security of the most critical open source software used at EU institutions. As Andrus Ansip, MEP, said:
“[…] we were able to identify hundreds of vulnerabilities, and it was much more efficient for the open source software community, rather than having individuals dealing with those alone”.
We are honoured to have been a part of this and looking forward to new challenges in the future.