Listen up, ethical hackers: the European Commission is looking for your help to discover security flaws in some of the most popular free and open source software around. The Commission will fund a total of 15 'bug bounties', prizes for people who actively search for security issues. Fourteen of them will start in January and the remaining one in March next year.
The full list of programs includes 7-zip, Apache Tomcat, Drupal, Filezilla, VLC, KeePass, Notepad++ and other popular tools that the EU institutions rely on, with rewards ranging from €25,000 to €90,000 ($28,600 to $103,000), for a total offered amount of €851,000 ($973,000).
The initiative was announced on Thursday, with a blog post on her website, by Julia Reda, member of the European Pirate Party and co-founder of the Free and Open Source Software Audit (FOSSA) project, which was started in 2014 to help improve the overall security of the Internet, after severe vulnerabilities were discovered in key infrastructure components such as the OpenSSL encryption library. The Heartbleed attack showed that some versions of OpenSSL, due to a bug in their implementation, could be hijacked to get access to sensitive data, and decode a server's encrypted traffic.
"The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure. Like many other organisations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things," Reda writes.
By hacking one or more of these tools, a malicious attackers could easily steal important information, or even compromise the functioning of the digital front end of the European political machine.
It wouldn't be a first: the European Commission has already been the target of large scale cyber attacks: one took place in November 2016 and did not cause, apparently, major outages or data breaches. Another, more serious one, happened earlier this month. On December 19th, the Council Secretariat announced that is was investigating a cyber hack of its communications, with thousands of diplomatic cables stolen by hackers believed to be working for China’s People’s Liberation Army.
Achieving perfect cyber security is almost impossible and FOSSA, for all its worth, is a relatively small project. For comparison, under the Digital Europe programme €2 billion will be invested in the next few years to boost the EU’s cybersecurity industry and financing state-of-the-art cybersecurity equipment and infrastructure. But by targeting the potential vulnerabilities some of the most loved and widely adopted software around, it could well punch above its weight.