The EU-FOSSA projects (1 and 2) team at the European Commission is testing instruments commonly used in software development - code security audits, bug bounties and hackathons - to see if (and how) these can be included permanently in the EC’s tool box.
EU-FOSSA 2 in 2018 and 2019 is testing bug bounties and hackathons, rather unusual instruments in the EC environment - with its tightly managed annual budget plans.
EU-FOSSA 2 has organised 15 bug bounties. It’s proving to be a cost-effective way to identify security vulnerabilities (with extras for fixes). Likewise, the hackathons bring together open source developers from across the world, interacting with peers working for the European institutions in Brussels.
The team is also studying the best practices of open source in public administrations worldwide; and making an inventory of roadblocks to increase use, related to licensing and IT support.
A permanent item
It’s predecessor, EU-FOSSA 1, ran in 2015 and 2016. The EUR 1 million budget was earmarked by the European Parliament on the request of MEPs Julia Reda and Max Andersson (both Greens/EFA) in 2015. The goal, as explained by MEP Reda, is to “establish Free Software Security as a permanent item in the EU budget.”
The Commission-led team has listed all open source solutions in use at the Commission (servers and workstations). The team determined how to sort these solutions in terms of software security issues and risks for the public services that rely on them. The team then requested external experts to do code security audits on Apache Server and Keepass solutions. The latter was selected by interested citizens, following presentations, surveys and polls. The code audits found no major issues, and minor security issues were quickly fixed.
The project’s success motivated MEPS Reda, Andersson and Marietje Schaake (ALDE) to increase funding to EUR 2.6 million for a follow-up project.