impact of covid-19 on facility management banner image

Article

The EU-FOSSA 2 project: Open Source Software audits via Bug Bounties for the European Institutions

The EU-funded vulnerability disclosure platform paid out more than €111k over 18 months

The EU-FOSSA 2 project to inventory, audit and improve the security and safety of the most critical open source software in use at the European institutions, has ended. Deloitte was involved in the project, alongside the ethical hacking firm intigriti.

Open source software is everywhere. From a startups to giant corporations: the majority of companies build their software on years of hard work from open source contributors. Stable building blocks play a major role in the secure software development process, and we believe it is our common duty to keep open source projects safe.

Earlier this year, we announced Deloitte’s participation in a segment of the EU FOSSA 2 project, whose aim was to inventory, audit and improve the security and safety of the most critical open source software in use at the European institutions. The EU-FOSSA 2 project, managed by the European Commission aimed at exploring innovative methods for finding and fixing open source software vulnerabilities and at connecting with the wider open source developer community.

Deloitte participated in the bug bounty programmes initiative of the project, where selected open source projects such as KeePass, Drupal, WSO-2, 7-zip, PHP Symfony, Glibc, Apache Tomcat, FluxTL and DSS were tested by researchers. The EU-FOSSA 2 project aims at ensuring the security of Free and Open Source Software (FOSS) used at the EU institutions.

It aims at doing so by finding vulnerabilities through bug bounties in a wide range of FOSS under the remit of the €2.6 million allocated to the EU-FOSSA 2 project. Bug bounties are used by organizations to reward individuals who find security vulnerabilities with the awards depending on the severity of the issue uncovered.

Over the timespan of 16 months, 120 researchers have participated and identified a total of 57 valid vulnerabilities in these open source projects, amounting for a total of more than €111.000 in bug bounties. On top of that, the European Commission has awarded thousands of euros in bonuses for security researchers that contributed a vulnerability patch accepted by the community.

The EU-FOSSA 2 project led to the responsible disclosure and resolution of several critical vulnerabilities, some of which could have affected millions of users. One of the top contributors to the bug bounty programme, Nightwatch Cybersecurity, published several write-ups of discovered vulnerabilities in Apache Tomcat leading to XSS (2019-0221) to Remote Code Execution (CVE-2019-0232). In total, the initiative led to the assignment a dozen of CVE’s, of which more than 25% received a high to critical severity assessment.

We would like to thank the European Commission and all researchers and vendors that worked together to make open source repositories more secure and we look forward to continue our collaboration throughout 2020, offering special discounts and bonuses that stimulate collaboration between security researchers and open source contributors.

EU-FOSSA 2 - the EU’s open source cybersecurity project ends

“Securing free and open source software for the EU, one bug at the time”

Did you find this useful?