EU offers bounties to help find security flaws in open source tools

Cash awards could bolster European government security.

The European Union believes it has a simple way to bolster its digital security: offer lots of cold, hard cash. The European Commission is launching bug bounties in January that will offer prizes in return for spotting security flaws in 14 free, open source software tools EU institutions use. These include well-known tools like VLC Media Player, KeePass, 7-zip and Drupal as well as something as vital as the GNU C Library.

The bounties range from €25,000 to €90,000 (about $28,600 to $102,900) and will start expiring August 15th, 2019, although a few will last until 2020.

The EU started checking open source software in earnest in 2015, when it launched the Free and Open Source Software Audit (FOSSA) in the wake of flaws found in OpenSSL encryption. It extended the project three more years in 2017, when it first outlined plans to offer bug bounties. Now, it's starting those bug bounties in earnest -- it had previously focused on audits and hackathons. There's no guarantee this will spare the EU from cyberattacks, but any bounties could benefit the community as a whole by patching vulnerabilities that might otherwise go undiscovered.