EU Offering Bug Bounties on Critical Open-Source Software

The EU is offering "bug bounties on Free Software projects that the EU institutions rely on."

Slashdot thread.

Posted on January 9, 2019 at 7:05 AM • 17 Comments

Comments

KappaJanuary 9, 2019 8:44 AM

Good initiative, but today is the 9th of January and Hackerone has not opened the possibility to report bugs yet.
If the start date is set to 7th January must be so.
Really disappointing...

TatütataJanuary 9, 2019 9:26 AM

A laudable initiative, however I can't really see how the list of projects subject to the bounty was arrived at. What is the common denominator?

Some of these I had never heard of until now (eg: notepad++. How could a programmer's editor be deemed critical without resorting to elaborate scenarios? chosing LibreOffice would have been more generally useful), or use generic alternatives (Eg: ssh instead of PuTTY, standard ftp instead of FileZilla in most cases; gzip, zip, bsdtar, and bzip2 instead of 7-zip).

- 7-zip
- Apache Kafka
- Apache Tomcat
- Digital Signature Services (DSS)
- Drupal
- Filezilla
- FLUX TL
- GNU C Library (glibc)
- KeePass
- Notepad++
- PHP Symfony
- PuTTY
- VLC Media Player
- WSO2

My personal peeve with FOSS is the often deficient documentation.

Sancho_PJanuary 9, 2019 9:40 AM

Bug bounties are the best way to increase security in IT (and society).
Beyond the “we want to improve”, bug bounties stand for transparency and trust, thus are incentives for youngsters and the tech community.

The principle should not be limited to (critical) FOSS SW.
Get rid of “lex bill” plus collect that money from the vendors / manufacturers and we’d be back in capitalism.

Yes, while the list is scary (closed doors?) the principle is right.

HamfishJanuary 9, 2019 9:46 AM

1. Underpaid developer leaves obscure flaw in code
2. Pass tip along to friend
3. Friend "discovers" obscure bug
4. Collects bug bounty
5. Splits money with developer

One advantage of closed source software is that it reduces incentives for this kind of game playing.

EzequielJanuary 9, 2019 11:55 AM

Tatütata,

Penny of people in large organisations do techie work but not enough to get anything but the standard windows desktop. Including external consultants. For them, PuTTY, Notepad++ and 7zip are amazing tools.

Uh huhJanuary 9, 2019 3:20 PM

> One advantage of closed source software is that it reduces incentives for this kind of game playing.

Is that true?

1. Unethical developer leaves obscure flaw in code
2. Pass tip along to friend
3. Friend sells obscure bug in black market to highest bidder
4. Collects payment
5. Splits money with developer

Same result.

Or the developer can directly market his/her service to whoever will pay for it, and plants whatever obscure flaw the customer wants.

It's quite possible the developer's service can fetch more in the black market than from bug bounty programs.

AdrianJanuary 9, 2019 3:24 PM

"eg: notepad++. How could a programmer's editor be deemed critical without resorting to elaborate scenarios?"

Simply by being widely used, it's possible for software to make a compromise harder to detect. Here's an example:

https://notepad-plus-plus.org/news/notepad-7.3.3-fix-cia-hacking-issue.html

Yes, it's "elaborate" and yes, it requires that the machine has already been temporarily compromised once. But if you don't know that the machine is compromised, having your malware run in somebody else's process might make detection less likely (e.g., no hinky processes will show up in the process list). A vanilla text editor that's widely use and widely trusted means your malware will likely run on zillions of machines for many hours every day.

WeatherJanuary 9, 2019 6:24 PM

@all
Send me a laptop and I will give these free

- 7-zip,yeah probably
- Apache Kafka
- Apache Tomcat,in wine
- Digital Signature Services (DSS)
- Drupal
- Filezilla
- FLUX TL
- GNU C Library (glibc),don't do linux
- KeePass,lot of paths proable,
- Notepad++probable
- PHP Symfony,don't do linux,
- PuTTY,lot of user input, pproable
- VLC Media Player,difently
- WSO2

GoodJanuary 9, 2019 8:19 PM

@Hamfish I'm not sure why closed source is less prone to game playing with the bounties than open source... Making something harder for everyone to openly see doesn't necessarily make it any harder to do... in fact, maybe the opposite, maybe it's easier to pull off something nefarious when there's less open review. For example, I'm pretty sure the Dilbert cartoon @Totty posted was depecting closed source developers working in a big corporation.

@Tatütata I agree with @Ezequiel. The common thread here in this list is open source windows desktop software, plus a few obvious (to non-admins) infrastructure items. I would therefore conclude that the list was not made by nor really aimed at protecting Linux professionals (like you seem to be, since you are familiar with all those command line tools). It is a bit odd for such people to think that whatever GUI utility they use the most must be "Critical" though (as if life would grind to a halt without it, when there are dozens of common replacements out there)...

WeatherJanuary 9, 2019 9:11 PM

Good
I grow up on Ida it can't run the program, just read elf,2weeks-3months will give, you want to learn how it works, free, but you are going to hhave to ask question.
Yes Linux is 0x7c win 0x23 but Ida has a nice Gui

Gerard van VoorenJanuary 10, 2019 2:35 AM

@ Tatütata,

"My personal peeve with FOSS is the often deficient documentation."

True. But OpenBSD is *a lot* better documented than Linux. So there are alternatives.

About Notepad++, the problem is the large (I guess) usage of Microsoft cr*p that could have been used a lot better, including (again) the documentation.

But that all said, I like the idea. Let's spend it.

RealFakeNewsJanuary 13, 2019 5:22 PM

A socialist state exploiting free work?

Why would anyone want to help the corrupt EU?

bob mcbobJanuary 16, 2019 2:29 PM

@RealFakeNews:

Take it from a European - the EU is far from socialist. Corrupt - definitely maybe.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.