The European Union is once again urging bug hunters to investigate and disclose bugs in certain open source software.
This time around, the software that should be examined for flaws includes:
- LibreOffice – a free office suite
- Mastodon – free and open-source software for running self-hosted social networking services
- Odoo – a suite of business management software
- Cryptpad – a browser-based encrypted open-source collaboration platform that lets people to work together online on documents, spreadsheets, and other types of documents.
LEOS is a legislative writing and editing software programme used by the European Commission, Parliament, Council, and a number of member states. “One criteria in selecting bug bounties was their use within European public services,” the European Commission Open Source Programme Office (EC OSPO) explained.
The bug bounties have been issued using the Intigriti bug bounty platform, with a €200,000 bounty pool provided by the EC OSPO. For “extraordinary vulnerabilities,” bug hunters can earn up to €5000, with a 20% bonus if they also deliver a fully functional fix that is incorporated into the software.
Each programme has its own set of interaction criteria and scope. The apps for LEOS, LibreOffice, and Mastodon are already available. It’s not the first time the EU has offered rewards for flaws discovered in popular open source software. The European Commission launched the EU-FOSSA (Free and Open Source Software Audit) project in 2015, which conducted a security audit of the Apache web server and KeePass password manager.
FOSSA was extended for several years, and bug bounty programmes for VLC Media Player and 14 other open source software were established, as well as several hackathons. In June 2020, EU-FOSSA 2 will come to an end. The ISA2 initiative of the European Union Commission introduced three more open source bug bounty programmes in January 2021, focusing on the IM platform Element (Matrix), the eLearning platform Moodle, and the email server solution Zimbra.