The Bug Bounty Program is a small-scale activity on open source software where the European Commission targets companies already operating in the market. VLC quite a large software is widely used. The main goal of the program is to find important security issues, that cannot be found with other approaches like static analysis, dynamic analysis or fuzzing.
The Bug Bounty program has kicked off with a three-week, invitation-only session, after which it will be open to the public. Rewards include a minimum of $2,000 for critical severity bugs, especially remote code execution.
High severity bugs such as code execution without user intervention, will start at $750. Medium severity bugs will start at a minimum of $300. Low-severity bugs, like information leaks, crashes and the like, will pay out starting at $100. Also, depending on the cases, the severity can be raised to a higher severity.
Marek Przybyszewski and Pierre Damas, who work for what is essentially the IT department of the European Commission (known as the Open Source Strategy of the Directorate General for IT, or DIGIT), explained that DIGIT has been introducing free and open source software in its IT stack since at least the year 2000. Since then, it has become strategic in several areas: Linux is used at 80% of the servers of the Commission’s Data Centre and the Europa website is running on Drupal, to name a few.
Julia Reda, a member of the European Parliament from Germany and the originator of the EU-FOSSA project, said that Public institutions such as the EU have a responsibility to ensure the security and reliability of this infrastructure. That is why a small part of the EU budget is used to finance security research into open source projects, improving security for both the European institutions themselves as well as for everyone using them. Read more…