EU seeking ethical hackers to find software bugs

The European Commission just announced 15 prizes (called Bug Bounties) for ethical hackers.

It’s looking for people who can find security flaws in popular open-source software that the European Union relies on. The total prize money available is nearly $1 million and ethical hackers who find bugs in programs such as 7-zip, Apache Tomcat, Drupal, Filezilla, VLC, KeePass, Notepad++ can win individual rewards ranging from $28,600 to $103,000. The amount awarded will depend on the importance of the issue uncovered as well as the software.

Fourteen of the prizes will be available starting this month and the remaining one will be available next March (2020).

Open source software is a critical part of the EU’s digital infrastructure. It helps encrypt Internet traffic, protects the communication and financial details of citizens, and is used to run websites for the European Parliament, Council, and Commission. If this software is vulnerable, hackers can gain access to everything from login credentials to medical files. They can even disrupt European politics.

EU members Julia Reda (Germany) and Max Andersson (Sweden) are running the Bug Bounties program through their Free and Open Source Software Audit project (FOSSA). FOSSA was founded after the Heartbleed bug (which was introduced in 2011) was revealed in 2014. This vulnerability affected over half a million of the Internet’s secure web servers.

FOSSA’s pilot project ran from 2015-2016 and was renewed in 2017. The Bug Bounties program is the third extension of the popular project.

While this is a relatively small project, it does bring awareness to the problem of open source software vulnerabilities. Many of us are not aware that our governments run on vulnerable software and that our data is at risk from hackers.

But this isn’t the only effort the EU is making to protect their digital infrastructure. They’ve also announced a 2 billion Euro effort to boost their cyber security industries in which each member state will nominate its own coordinate center to join a comprehensive task force.

The key will be a coordinated effort. Jean-Claude Juncker, President of the European Commission told the Tallinn Digital Summit in 2017:

“Cyber-attacks know no borders, but our response capacity differs very much from one country to the other, creating loopholes where vulnerabilities attract even more the attacks. The EU needs more robust and effective structures to ensure strong cyber resilience and respond to cyber-attacks. We do not want to be the weakest links in this global threat.”

The EU will need to coordinate this larger response. But until then, bug bounties are a great way to get citizens to help protect cyber infrastructure. It’s a scheme that lets everyone win. Freelancers get a financial reward, and software companies and governments get help from a wide range of experts.

Bug bounties are not a new idea. In fact, Google paid out almost $3 million dollars in rewards last year via their Vulnerability Research Grants Program and Patch Rewards Program to freelancers who discovered bugs in their systems.

Bounties and accompanying hack-a-thons can never guarantee full protection against cyber attacks. However, they will help reveal vulnerabilities that might have gone undiscovered. This project will give ethical hackers a chance to hone their skills for the common good.