In a recent announcement, the European Commission (EC) has shared details about the newly introduced bug bounty program for opensource software. This program will award researchers with bounties up to €5,000 for detecting bugs in public software used across the EU.
European Commission Opensource Bug Bounty Program
According to the details shared in the latest press release, the European Commission Open Source Programme Office (EC OSPO) has funded a new set of bug bounties for researchers.
Under this new program, researchers can win up to EUR 5000 as bounties for finding vulnerabilities in open source software used in the European Union public services. Specifically, these software include LibreOffice, LEOS, Mastodon, Odoo and CryptPad.
Moreover, EC also pledged a 20% bonus award to the researchers who also provide a fix with their bug reports.
Regarding the choice of the software, the statement reads,
One criteria in selecting bug bounties was their use within European public services. LibreOffice, Mastodon, Odoo, and Cryptpad amply met this criterion and were therefore selected.
In addition, the EC OSPO decided to select LEOS, a legal editor used by European Commission, Parliament, Council, and several member states.
As for the bugs, researchers can report vulnerabilities such as privilege escalation, SQL injection, and data leak issues.
The European Commission has launched this bug bounty program on the popular platform Intigriti.
Given the recent open-source chaos in the wake of the Log4j vulnerability, such bug rewards can significantly facilitate prompt detection and patching of serious issues.
The Apache Log4j vulnerability wreaked havoc in the online world after the hackers started exploiting it even before a fix could arrive. The disaster continued further after the back-to-back patches failed to adequately address the bug until the final fix.
Consequently, the security community rushed to develop vulnerability scanners for detecting Log4Shell and similar bugs to prevent their exploitation.
Nonetheless, it still proved to be a worthy hacking vector for the attackers as they targeted significant entities, such as the Belgium Defense Ministry.