EU-FOSSA continued: MEPs want bug bounties
The idea of the EU-FOSSA project appeared following the discovery of a serious vulnerability in the OpenSSL cryptographic library in April 2014. This open-source software library runs on thousands of servers worldwide. The issue, nicknamed Heartbleed, was very easy to spot and solve yet nobody checked the code. This showed how important were the proper funding and security screening of open-source software projects, some of which do not have a large organisation behind. Meanwhile using open-source software is becoming a norm in major, critical infrastructures and is one of the pillars of modern economy.
MEPs from the Group of the Greens/EFA Julia Reda and Max Andersson proposed to solve this problem by helping the open-source projects in need with European Union funding, all for the shared benefit of the citizens, companies and the European Union institutions themselves. They view it as a candidate for a permanent action of the EU with a permanent financing. This action could make a huge difference in everyone's online security.
A pilot project was carried out during 2015-2016 in DIGIT.B.1 with Everis and KPMG/Trasys. It delivered studies, inventories and two code reviews: one of Apache HTTP Server Core and the second of KeePass. No major issues were found in these mature open source projects. The minor severity issues were quickly fixed.
Dominik Reichl from KeePass said: "I think the EU-FOSSA project is a great idea. For KeePass, the project went well and has resulted in improvements. I hope that the EU-FOSSA project will be continued."
The FOSSA project contributed directly to the operational work at the Commission. Indeed, the positive audit result helped the decision to make KeePass available for installation for all Commission users.
The continuation of EU-FOSSA was approved by the European Parliament in December 2016. The team is now preparing legal and contractual grounds for this much more complex project at DIGIT.B.3 together with colleagues from DIGIT.A. The MEPs Julia Reda (Greens/EFA) and Marietje Schaake (ALDE) have been very clear to not only execute formal code reviews, but also to:
- finance bug bounties;
- raise public awareness of the importance of software security;
- choose the companies running these activities in an open call for tender;
- have more public visibility.
Execution of the core of this project is planned to start around Q2/2018, due to the time necessary for a call for tender preparation, but work will start immediately by conducting proof of concept projects with some existing players in the market in order to better understand the details on how bug bounties should be organised. The team will also perform inventories of open-source software used within the different EU institutions to identify the candidate components requiring security analysis.
Watch the Joinup space of the original pilot project for updates: https://joinup.ec.europa.eu/community/eu-fossa/.