
EU to fund bug bounty programs for open-source projects - svenfaw
https://www.zdnet.com/article/eu-to-fund-bug-bounty-programs-for-14-open-source-projects-starting-january-2019/
======
halfastack
This is a very strange distribution of projects. There are projects like VLC,
Filezilla, and 7-zip, next to often mission-critical pieces of software, like
Kafka, Tomcat, and GlibC. I wonder what went into the decision process to
include each of these libraries.

I also dislike the 'bug bounty platforms'. Why can't I simply report it
upstream, and if accepted, claim my price? Each of the projects should have
CVE protocols and procedures. The idea probably is to curb the zero-day
vulnerability leaks, but I assume that if you're able to find a CVE, you're
capable of finding a CVE procedure.

Overall, though, this is great of course.

~~~
kyriakos
Most probably these are tools commonly used by EU institutions which have
records of bugs have causing them problems. The solution is to help fix those
bugs by offering money. You are right though, I can't see how VLC can be as
mission critical as Kafka.

~~~
jdietrich
Most police forces use VLC to view CCTV recordings and other multimedia
evidence. It's an entirely logical choice of software, but it presents an
obvious risk in the current climate. I would imagine that many intelligence
services use VLC for similar purposes.

A nation-state adversary with a VLC RCE 0day could do some serious damage; if
they also have an 0day for a popular model of CCTV DVR, they've got the keys
to the kingdom. Those DVRs will never get patched and a nation-state adversary
could dream up all sorts of ways to induce a police officer or an intelligence
agent to play a media file, but at least we can harden VLC.

~~~
noir_lord
That is an interesting thought.

I'd never considered that an excellent media playback program would be a
vector for nation state and entities with nation state capabilities.

------
29athrowaway
What if they took all the office suite licenses budget and they invested it in
an open source office suite project like LibreOffice, Caligra suite (formerly
KOffice) or Gnome Office.

~~~
sddfd
The city of Munich tried to develop a Linux distribution "Limux" that was used
for some time, but political considerations ultimately reversed the decision.

[https://en.m.wikipedia.org/wiki/LiMux](https://en.m.wikipedia.org/wiki/LiMux)

~~~
gronne
Thats a nice way of putting cronyism, lobbyism and tech-iliteratism.

~~~
qha
That's true, there was cronyism. For example, they used the worse, slower KDE
instead of better options like MATE because KDE has a considerable European
(and even German) legacy. I imagine they took many decisions like that.

Take a computer that used to run Windows 2000 and install KDE on it, it's no
wonder people got pissed and they had to revert their decision.

~~~
Jonnax
KDE is not worse than MATE. A full featured desktop environment with software
suite compared to a fork of GTK 2.

~~~
qha
MATE is a fork of GNOME 2, which is a full featured desktop environment as
well. MATE runs orders of magnitude faster and is much more stable than KDE.
Especially on the old workstations where they installed LiMux.

I'm not going to say that the project failed entirely because of technical
reasons, but at first glance it really looks like they took bad decisions.
It's hard to defend a move where you end up with worse software and a worse
experience for users, no matter how much money you save.

~~~
Jonnax
There's barely any development on the GitHub. And also it seems like there are
few contributers.

Whilst KDE is a much bigger project that is actively developed.

~~~
qha
If that's your indicative of the quality of a project then I understand your
position.

~~~
coldtea
First, being abandoned for new development is a great indication of the
quality of a project.

Second, you haven't given us any arguments for your "indications of quality"
regarding MATE and KDE.

Third, like Gnome, KDE has a huge legacy in FOSS, and is a great project in
itself based on a top notch GUI backend. Some of its code even went on and
become the basis of the modern web (KHTML -> Webkit -> Blink -> Node -> now
also Edge), other tools like KDevelop, Krita, etc are among the best in class
in what they do.

What are you, some teenage Linux nerd, with a "favorite" desktop to promote in
flame wars?

~~~
gronne
And I who thought the KDE/Gnome wars was over.

~~~
Jonnax
MATE is not a GNOME project. When GTK3 was made and the decision to build
Gnome Shell was made, the MATE project was started to fork GTK2 and the old
shell.

------
justinclift
This all sounds good, with the exception of FileZilla, who (still) distribute
malware ("bundled ad offers") with their default Windows downloads. :(

Seems kind of bizarre the EU would encourage such practises.

~~~
cyphar
I think it's a stretch to say that the EU is "encouraging" such scummy
practices. It's likely that they just collated a list of all software used
widely by government departments within the EU -- and thus FileZilla is on the
list. Ultimately, a potential 0day causing RCE within a government department
is more of a concern to the EU than the optional malware you get during
FileZilla's installation.

~~~
justinclift
> the optional malware you get during FileZilla's installation.

Think that through. The malware that comes with FileZilla is often reported to
be pretty bad.

Agreed, potential a 0 day (especially when targeted) could also have a really
bad effect.

But Filezilla's malware _isn 't_ theoretical, so could really be the bigger
problem.

~~~
cyphar
I haven't used Filezilla in a _long_ time -- is the malware optional? I
imagine that most EU governments image their machines, so they IT departments
likely aren't installing the malware.

And there is also the consideration that governments will continue to use
Filezilla even if there isn't EU funding to make it more secure -- malware and
all.

~~~
justinclift
Good points. Yeah, I'd hope it's the IT departments doing images, rather than
end users being able to install things.

------
pacifika
[https://etendering.ted.europa.eu/cft/cft-
display.html?cftId=...](https://etendering.ted.europa.eu/cft/cft-
display.html?cftId=3375)

I process was open tender from which the software projects were chosen.

------
rendx
The European Commission also has additional calls out for intermediaries to
re-distribute funding to open source projects (ICT24), and some of the
intermediaries have their respective calls open for projects (from 5k€ to
200k€):

[https://www.ngi.eu/opencalls/](https://www.ngi.eu/opencalls/)
[https://ec.europa.eu/info/funding-
tenders/opportunities/port...](https://ec.europa.eu/info/funding-
tenders/opportunities/portal/screen/opportunities/topic-
details/ict-24-2018-2019)

------
em3rgent0rdr
Notepad++ seems to be only Windows. Seems would be better to support a cross-
platform text editor.

~~~
r3bl
It also seems to be the third most popular dev environment overall (behind VS
and VS Code, ahead of Sublime Text and Vim):
[https://insights.stackoverflow.com/survey/2018/#development-...](https://insights.stackoverflow.com/survey/2018/#development-
environments-and-tools)

It's not a very interesting target (most of these are not), but it's safe to
say it's a valid target.

------
jabl
Is it worth to spend 90kEUR on putty, considering windows nowadays has
openssh?

~~~
scrollaway
Is it worth spending money on Drupal considering we nowadays have _anything
else_?

The answer is yes. The value of these bug bounty programs is directly tied to
the amount of use the software gets (and most of these get used a ton,
including Putty, regardless of alternatives).

~~~
oelmekki
Do people using these oldish softwares update them, though?

Funding bug bounty programs kind of fail its objectives if they don't.

~~~
scrollaway
You're not wrong, but those are still separate issues. In the context of
benefit for the government itself, you'd certainly hope so…

Regardless of whether they get updated, these are still a net benefit for new
installs.

~~~
oelmekki
Oh indeed, I'm not trying to say they should not fund these programs, this is
awesome and welcome. I'm just warning about a possible pitfall for them to
keep an eye on :)

------
rasengan
This is a good step, and it’s great glibc is included. In the future, I think
it would be great if more critical, widely distributed libraries/software
could be included like that!

~~~
dhh2106
+1

It's a good initiative and needs a better selection / qualification process

------
ngcc_hk
Excellent. Less free rider better public good.

------
based2
[https://media.ccc.de/v/062_Hacking_EU_funding_for_a_FOSS_pro...](https://media.ccc.de/v/062_Hacking_EU_funding_for_a_FOSS_project)

------
talltimtom
So now the game for developers is to include intentional but sufficiently
abscure bugs that they can harvest money off down the line.

~~~
trulyrandom
I don't think developers would be eligible for bounties for vulnerabilities
found in their own projects.

~~~
talltimtom
So? You sell your exploits to another dev at a fraction of the bounty, other
devs so the same for you. It’s not like that puts up any real obstacle.

------
thorin1
Never heard about "Digital Signature Services (DSS), FLUX TL, midPoint, WSO2".
Why were they chosen?

~~~
kozziollek
DSS is EU-owned library I believe. I used it instead reimplementing digital
signature verification for XMLs, PDFs, hadling certificate revocation, etc.
Makes sense that they want to secure own library that secures many other
applications.

WSO2 is Enterprise Service Bus that I used at another company (owned by
government BTW) instead of one from whoever-makes-commercial-ESBs.

~~~
cs747
WSO2 is more than just Enterprise Service Bus. There are a bunch of products
and solutions belongs to WSO2[1]. Enterprise Service Bus, API Gateway,
Identity and Acess Manager, Analytics and Stream Processing Server are the
core products.

[1] [https://wso2.com/platform](https://wso2.com/platform)

------
alkonaut
They should put the money towards paid maintainers instead (or also).

------
garfieldnate
Wow, this is great! I wish the US did this!

------
_pmf_
Targeting existing projects has the advantage of creating fewer perverse
incentives. EU funds for open ended projects are notorious for being leeched.

~~~
jimnotgym
> EU funds for open ended projects are notorious for being leeched

Can you give some examples please?

------
uh_what
Seems like it would quite easy to game the system. Make contributions with
known vulnerabilities and then submit an anonymous bug report when the
contribution is approved.

~~~
eikenberry
I think the community would keep this to a minimum just through normal peer
pressure and shaming.

~~~
emn13
And most open source projects run a fairly transparent dev process - almost by
necessity. Doing something like that as an individual dev might be possible,
but hard and likely impossible to do structurally (no guarantee to get it in,
no guarantee for the project to be picked next year(s), no guarantee for
nobody else to find it first, and upon discovery, risk that your scam becomes
apparent).

But as a team, the only way to really pull this off involves inserting such
vulnerabilities intentionally and out of sight, which means a closed dev
process. Even if you orchestrate via some other medium - assuming you're using
a VCS, the vulnerability will be publicly traceable to a core contributor -
and if you do that regularly, you'll at the become known as a project that's a
security nightmare; that might kill the project in the long run. And you might
even raise suspicions purely base on the frequency and nature of
vulnerabilities.

All in all: abusing this sounds like a fairly risky fraud.

~~~
tchaffee
Lots of fraud is risky. And often very worth it if you are very poor and live
in a country where laws against fraud aren't enforced. I think the potential
for abuse deserves a closer look.

------
cannedslime
Even as a life long EU skeptic, I'm okay with this. Im not sure about the
choice of projects, but I'm sure someone had their reasons for picking the
projects that I don't find particularly relevant for a public funded bug
bounty.

Eg. Im sure that Notepad++ has its share of bugs, but I doubt many are
critical or security related.

------
tbarbugli
Great idea, I hope they also put money to help get orgs out of PHP, Drupal and
other dead/terrible software. If not this is a bit depressing and short
sighted.

~~~
kyriakos
Why would they get out of PHP?

~~~
tbarbugli
Do I really have to explain this?

~~~
calibas
PHP has matured greatly since version 5, especially in terms of performance,
and Drupal 8 is a top choice for creating enterprise-level APIs. Neither is
dead and Drupal is only "terrible" for beginners.

By most measurements, PHP is used by a majority of sites on the internet. The
worst part is how many of those still use PHP 5, which reaches end of life
tomorrow...

------
interfixus
My disillusion and cynicism know few bounds in any matter involving the EU (or
any political body, for that matter). Over the years, something like this
could easily morph into _' this open source software certified and legal to
use within the EU'_.

~~~
vertex-four
The EU has been funding the development of open source software through grants
for many years now.

~~~
interfixus
Yes, I know. And?

~~~
Jonnax
What you said hasn't happened.

