Digital Implications: EU Bug Bounties

The European Union has recently launched a bug bounty program for open source technologies like Drupal. What are the digital implications of this move?

The days of tracking highwaymen for miles to collect a bounty from the state are behind us. A&E cancelled Dog the Bounty Hunter. Bug bounty hunting, on the other hand, is becoming an extremely lucrative business thanks to a new European Union program rolling out this month.

Starting in January, the European Commission is offering substantial bug bounties for fifteen open source software projects. One of the largest bug bounties goes to Drupal, to the tune of up to 15,000 Euro (or about $22,600) per bug correctly identified.

Drupal is a powerful content management system used by the European Commission and many member countries to manage their web presence. As such, supporting and strengthening Drupal’s technology (which is already world-renowned for its security) is a high priority for the EU.

Image of a magnifying glass identifying a software bug

Background

The European Union was an early adopter of open source technology in the public sector. Their commitment to open source technology goes back to the year 2000, having built a strategy (since updated three times) around its internal adoption and promotion. Free, open source technology such as Drupal has since been successfully adopted across the EU, demonstrating excellent capabilities in public sector institutions.

The EU bug bounty initiative emerged as a result of discussions that began in 2014 regarding security and performance vulnerabilities in open source software projects. OpenSSL, an open source encryption library used by countless other technologies, was discovered to have significant security vulnerabilities that could have affected the encryption of Internet traffic and personal communications.

Man working on computer with EU logo on screen

Open source software performs extensive functions in the personal lives of EU residents in addition to serving as the backbone of many EU institutions. The OpenSSL incident served as a wake-up call for the importance of securing free and open software, heightening political pressure to proactively address bugs and security vulnerabilities.

Faced with pressure to address technical challenges with open source software, the Free and Open Software Audit (FOSSA) project was created in 2015 by the European Commission. To support FOSSA’s strategy, the EU is now offering nearly $1 million in total bug bounties to support the quality assurance of open source software that is so essential to their, and their citizens’, digital activities.

How does the program work?

The European Commission budgeted nearly $1 million for the bug bounty initiative, distributing this sum among fifteen open source technologies. Developers or “white hat” hackers who accurately identify bugs in the software will be rewarded a sum based on the severity of the bug and the relative importance of the technology to the EU.

As the CMS of choice within the EU and the technology behind the European Commission’s website, over $100,000 was budgeted for enhancing Drupal’s security. Furthermore, a 20% bonus can be earned for contributing a working fix to the bug that is accepted by the Drupal community. This reward would be well-deserved; Drupal is already renowned as one of the most secure open source content management systems in the world. Further securing the CMS would only cement its reputation.

A pile of EU bank notes

A key principle behind open source is the idea that knowledge is distributed, and that’s what the bug bounty program represents. Rather than hiring a small security team to identify vulnerabilities in their software, the EU is leveraging the millions-strong open source community with a financial incentive. This results in reduced costs and the unforeseen benefits of tapping into a vast pool of knowledge.

Digital Implications

Bug bounties are not new, in fact, they’ve existed since the 1980s. Just last fall, the Pentagon paid out over $330,000 to participants of its own “Hack the Pentagon” bug bounty program. It’s a proven model: over 3000 security vulnerabilities were discovered within the Department of Defence’s digital properties in under two years.

The US Pentagon building

The motivation is there too: on average, top white hat hackers earn 2.7 times more than the median salary of a full-time software developer in their home country.

What makes this brand new EU program significant is the focus on securing open source software. This puts additional momentum behind technologies like Drupal, which is a top choice among public sector organizations in North America as well.

$34 million was budgeted for the Pentagon program in 2016. As open source software continues to be adopted in the North American public sector (at all levels of government), one can only imagine how much money would be budgeted for a similar program.

Just as California produced nearly identical legislation a month after the EU’s GDPR was written into law in 2018, trends spread fast. Between the past use of bug bounties and the increasing commitment to open source in both the private and public sectors, it is highly likely that a similar program will be implemented in North America. Drupal 9, which is set to be released in 2020, would become unparalleled worldwide for its security and performance with this level of financing.

Picture of text from the GDPR

Interestingly, not all are welcoming the introduction of open source bug bounties. Some commentators have argued that while bug bounties are a sign that open source security is being seriously addressed, it overlooks what is really needed, which is sustaining a pipeline of maintainers (paid and volunteer) well into the future. It is argued that this is where the real return on investment lies.

Conclusion

Achieving perfect cybersecurity is almost impossible, and a relatively small amount is budgeted for the EU bug bounty initiative. However, the momentum garnered from this move will likely carry open source technology forward for years to come, both in Europe and North America.

Drupal’s bug bounty program will remain in effect until October 15th, 2020, just in time for the much-anticipated release of Drupal 9. The CMS is already one of the most secure open source projects in the world, boasting the world’s largest open source community. That’s why we at OPIN, like the European Union, see its potential. That’s why it serves as the backbone of our award-winning client projects. With the weight of the EU behind it, Drupal will be unstoppable in the coming years.

Drupal logo on phone screen

As for Dog the Bounty Hunter? I heard he’s studying for his Acquia Drupal Certification (although OPIN’s fully-certified team beat him to it).

If you enjoyed this content, feel free to subscribe to our newsletter for more digital insights.