EU to fund bug bounty programs for LibreOffice, Mastodon, three others
Image: The Record
Catalin Cimpanu January 24, 2022

EU to fund bug bounty programs for LibreOffice, Mastodon, three others

EU to fund bug bounty programs for LibreOffice, Mastodon, three others

The European Union will fund a bug bounty program for five open source projects that are heavily used by public services across the EU.

The five programs include LibreOffice, a document editing app and a free alternative to Microsoft Office; Mastodon, a web-based utility for hosting your private social network; Odoo, an enterprise resource planning (ERP) application; Cryptopad, an app exchanging encrypted messages; and LEOS, a software designed to help with drafting legislation.

The bug bounty program will run throughout the year on the Intigriti bug bounty platform, and the EU will provide a rewards pool of up to €200,000 ($225,000).

Bug hunters will be eligible to earn as much as €5,000 ($5,600) for “exceptional vulnerabilities,” and they can also earn a 20% bonus if they provide a fix within their reports.

The new program was announced last week and is sponsored by the European Commission Open Source Programme Office (EC OSPO).

Founded in 2020, EC OSPO is the spiritual successor to the EU-FOSSA (EU-Free and Open Source Software Auditing) project, through which the EU also previously funded two other bug bounty program initiatives for open-source software in 2017 and 2018, respectively.

In the first edition, the EU funded bug reports for VLC Player, a popular free video player, while in the second edition, the EU-FOSSA sponsored bug reports for 14 projects, such as 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, midPoint, Notepad++, PuTTY, the Symfony PHP framework, VLC Media Player, and WSO2.

The same program also funded security audits for the Apache HTTPD web server and the Keepass password manager.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.