European Commission’s bug bounty programme: awards between EUR 3,000 and EUR 25,000 for software developers who find security vulnerabilities

The European Commission has announced the awards for its innovative open source bug bounty programme. Software developers who find security vulnerabilities in the selected open source software, will be awarded between EUR 3,000 and EUR 25,000  for critical bugs. Developers can also earn a 20% bonus, if they additionally provide a fix to the security vulnerability they find.

After a successful pilot in 2017, the Commission is now expanding the bug bounty programme to a select group of 15 open source software, which are widely used at the European institutions.

Through a call for tender process, three bug bounty platform providers were selected as offering the best price/quality ratio, working in a cascade; (i) Intigriti/Deloitte, (ii) HackerOne, and (iii) Econocom Digitial Security / Yes We Hack. The 15 selected open source software projects have been granted to the first two companies in the cascade, Intigriti/Deloitte and HackerOne. The table below shows further details about the bug bounties. Clicking the link on each software, will direct to the dedicated bug bounty platform page for that software, after it is publicly launched.

Start and public go live dates vary according to the platform providers and the communities themselves, based on the platforms’ specific working methods, the readiness of the communities and contractual requirements. The table above will be updated, as dates become firm.

The EU-FOSSA 2 project, sponsored by MEPs Julia Reda, Marietje Schaake and Max Andersson, is also devoting efforts in a number of other areas that contribute to improved security of open source software developments.

For example, the project will host three Hackathons in 2019, each bringing together an OSS community, to solve specific security issues, and to foster collaboration with open source developers including those working at the EU institutions.