EU is going to fund a bug bounty program for 7-Zip, KeePass, Notepad++, VLC Media Player and more

Topic

New Reply

Bug bounty programs — where software bug catchers get rewarded for identifying security holes and disclosing them to the manufacturer — have proven
[See the full post at: EU is going to fund a bug bounty program for 7-Zip, KeePass, Notepad++, VLC Media Player and more]

9 users thanked author for this post.

Pepsiboy, Fred, AlexEiffel, abbodi86, AJNorth, SueW, Elly, ch100, jburk07

Reply | Quote

Replies

That’s a great idea! I would suggest adding some others such as Python and VeraCrypt (successor to TrueCrypt).

Given the poor state of laws and regulations in the USofA it is nice to see the Europeans picking up the slack.

Reply | Quote

Perhaps off-topic here, but…

Would this bounty program only apply to the Windows versions of these free programs?

Most of these titles have Linux versions as well, and no one gets paid a license fee or a subscription fee for those versions either. I don’t know if any of these titles also have Apple MacOS, Android or iOS versions, but wouldn’t these versions also qualify, if the program were being fair and balanced?

-- rc primak

Reply | Quote

Nothing in the linked article or announcement says “Windows”.

FOSSA 2 for VLC Media Player (proof of bug bounty concept) last year said, “All desktop platforms are concerned by this program.”
https://hackerone.com/vlc

4 users thanked author for this post.

rc primak, AlexEiffel, abbodi86, woody

Reply | Quote

@rcprimak KeePass does not have an Android version. However, there are a number of add-ons written by collaborating, but I think separate, developers that pick up the KeePass database and provide the same functionality on an Android device. I use Keepass2Android, which works very well.

Chris
Win 10 Pro x64 Group A

3 users thanked author for this post.

rc primak, Fred, HiFlyer

Reply | Quote

It looks like the EU will be paying people to do the kind of job that MS used to pay people to do. Not such a bad deal for MS, I would imagine.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

wdburt1

Reply | Quote

These apps were never connected with Microsoft, so no relevance.

3 users thanked author for this post.

rc primak, zero2dash, warrenrumak

Reply | Quote

I stand corrected. I really should have read the commentary in ZDNet first…

So for those at the EU in charge of FOSSA, Putty is  going to be at the top of their list?

That could be good news as, same as so many others out there, I use it (or VPN) for remote login with a secure connection to the computers of those I work with in common projects. If one of us is hit through a vulnerability created by Putty, then all of us can be in trouble.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

Fred

Reply | Quote

There’s a “They’re paying for Drupal security vulnerabilities? That might bankrupt the EU!” joke in there somewhere.

 

Reply | Quote

What happened to the open source communities mantra that “it’s open source, everyone can see the code” philosophy?  Why aren’t all these volunteers and advocates finding the bugs.

Now the taxpayers get to foot the bill to pay these white hat hackers.

Knowing how Governments operate, I’m not sure this is a road we want to travel…  As soon as they start throwing other peoples money at something, they can start demanding they have a say on how things are done.

Do we really want that..? We all know how things work oh so well when Government busy bodies start meddling.

3 users thanked author for this post.

JCCWsusser, Ascaris, wdburt1

Reply | Quote

Anonymous wrote:

What happened to the open source communities mantra that “it’s open source, everyone can see the code” philosophy? Why aren’t all these volunteers and advocates finding the bugs.

That was always a relative thing, not an absolute.  It was an argument in favor of open source in the debate between closed source and open source– not a silver bullet that will forever banish bugs. Compared to closed-source, open-source has more eyes on the code, and that increases the odds of a bug being detected.  It doesn’t mean that every one will be found within a given period of time, just as the closed-source method doesn’t mean that bugs will always be found either.  Since closed-source software has been using bug bounties for a while now, you could just as easily ask about why the closed source method, with all of its resources and centralized authority and professional developers, isn’t finding the bugs.

That said, I agree that this is not something I’d want any government entity getting involved in for the reasons you mentioned.  It seems harmless enough and benevolent right now, but there’s no way to know what happens in the future.  Will there be expectations of quid pro quo?

This topic already has an element of politics in it since the EU is by nature a political entity, but this is one we’re going to have to be careful with, given that askwoody.com is not about politics and has a low tolerance for discussions of political matters outside of the designated area.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

4 users thanked author for this post.

rc primak, flackcatcher, Lars220

Reply | Quote

Ascaris: “That said, I agree that this is not something I’d want any government entity getting involved in for the reasons you mentioned.  It seems harmless enough and benevolent right now, but there’s no way to know what happens in the future.  Will there be expectations of quid pro quo?”

I am probably missing something here, because I can’t see a problem with the EU paying bounty hunters and publishing their recommendations to help out developers that cannot afford to do it themselves, but cannot be forced to apply the recommendations, although it might be overwhelmingly in their interests to do so (it could be bad PR to do otherwise). It looks to me like this is aimed at improving the safety of computing, something that is increasingly crucial to the proper workings of our progressively more connected civilization. Therefore, I see this as an in-the-public-interest activity of the kind expected from a public regulatory entity (the EU in this case), an activity that, in this case, is not obvious (to me) how it could be made to interfere with the rights of people to develop software and, or use their computers as they might choose. However, the quoted paragraph implies some kind of unspecified potential for abuse of authority. This is probably a question worthy of further discussion, here or elsewhere.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

OscarCP wrote:

am probably missing something here, because I can’t see a problem with the EU paying bounty hunters and publishing their recommendations to help out developers that cannot afford to do it themselves, but cannot be forced to apply the recommendations, although it might be overwhelmingly in their interests to do so (it could be bad PR to do otherwise).

I can’t go any farther without delving into the realm of politics more than I think would be allowed here.  Things like the role and nature of government, that sort of thing.

It looks to me like this is aimed at improving the safety of computing, something that is increasingly crucial to the proper workings of our progressively more connected civilization.

As they say (more or less), the road to Hades is paved with good intentions.  Lots of things look that way at first glance.

Therefore, I see this as an in-the-public-interest activity of the kind expected from a public regulatory entity (the EU in this case), an activity that, in this case, is not obvious (to me) how it could be made to interfere with the rights of people to develop software and, or use their computers as they might choose.

I am not convinced of the desire or capacity for any regulatory agency to work (continuously and exclusively) in the public interest.  It may start out that way, but things have a way of getting worse when governments get involved.

It’s not hard to envision how this could be a first step in a lot more EU involvement in open source software, and when later on they have a “request” to make of a given project that may be headquartered within the EU, the various humans within the EU could feel as though they’re owed something, and they may well have the backing of their constituency in taking action to get what they think they should have.

While an open-source project can simply shrug off such a request from the likes of Microsoft, governments with actual power are different. Open source projects aren’t exempt from regulations simply because they’re open source.

If those open-source projects become dependent on subsidies for their existence, they’re no longer autonomous.  That bit is an issue of private funding of open-source projects as well; Mozilla’s alleged dependence on Google subsidies for making the Google search engine the default one are cited by some as the reason why Mozilla is letting Google call the shots every which way in terms of what a browser is supposed to be, rather than fighting them tooth and nail as they did with Microsoft back in the IE6 days.  Is it true?  I have no idea… but it’s plausible that this effect exists and plays a role.  Sometimes it is wise to look a gift horse in the mouth.

I’m not saying this is for sure completely bad… only that there be dragons here, and these are the type of dragons I give a wide berth.

Sorry for all of the idioms, but I’m trying to stay on the good side of the line here!

However, the quoted paragraph implies some kind of unspecified potential for abuse of authority. This is probably a question worthy of further discussion, here or elsewhere.

When you’re talking about this kind of dragon, unspecified potential for abuse of authority is more than enough reason to say no and have it never become an issue, potential or otherwise, IMO.

Ultimately, if they have the cooperation of the various projects, then I would defer to the various project managers and support the decision… they know their code and their propensity to find bugs, and if they think such a bounty funded by a government entity is a good idea, I am not about to tell them they’re wrong.  Given what I know of FOSS people, they probably harbor the same concern over the fear of hidden strings that come with the generous contributions, so if they’re on board even with that in mind, all I can say is I hope they are right.  The source article at ZDNet did not say whether the bounties are being offered with or without the full acceptance and support of the projects involved.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

2 users thanked author for this post.

rc primak

Reply | Quote

Ascaris: You make some good points, but some of what you wrote here is based on what ifs and maybes. One could also play this guessing game about the role of the government’s Centers for Disease Control and Prevention, or NASA, or the Social Security Administration, but I doubt that there will be many of us concerned enough about these being potential threats to our freedoms to follow suit. In fact, there is no present evidence that the EU bounty initiative is a threat to open source developers. And if they became dependent on money from their bounty hunting for the EU, that would be their own fault, and not a very likely thing, in my opinion, as the Open Source movement has been doing quite well so far without any such bounties.

What I see as a more concrete danger is that the repeated large-scale cyber attacks already happening against users of open source software, including those whose activities are critical to finance, safety-of-life and national security, might prompt actual politicians in actual governments to clamp down with harsher regulations on the activities of open source developers, which would be a really bad thing.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Anonymous wrote:

Knowing how Governments operate, I’m not sure this is a road we want to travel… As soon as they start throwing other peoples money at something, they can start demanding they have a say on how things are done.

Free open source software is not something an outside body can direct. The developers decide if they want something and it’s up to users to decide if they want to use it. If an external body said “we won’t use it unless…” the developers would say, “OK, don’t use it”.

Spending money on research is always a good thing, who knows what benefits will accrue from the results of looking at stuff. (Although in this case no money may be spent if no bugs are found / patched.)

cheers, Paul

2 users thanked author for this post.

rc primak, OscarCP

Reply | Quote

My own, not always humble, opinion agrees with both @MW and @Ascaris. But I hold my opinion as a US citizen who views government as restricted by our Constitution. I also recognize the limited influence of my opinion and my Constitution upon the affairs of the EU. If Brussels posts a bounty, it is not for me to debate. I may even benefit from any resulting bughunts.

They have a system different than the US. The governed appear more comfortable with this form of nationalized industry. I’m willing to defer to their desires, and hope they respect our methods as well.

Reply | Quote

What happened to the open source communities mantra that “it’s open source, everyone can see the code” philosophy? Why aren’t all these volunteers and advocates finding the bugs.

Quite simply, money draws more eyes and greater effort.

We all know that money brings out more security testers than any feelings of dedication or duty toward a cause or a concept. So, whenever bounties are offered, more bugs get exposed faster than if no one is offering money for the work of testing for vulnerabilities. No one likes to work for free, not even for an open-source project.

This is also true of “closed-source” software. Outside eyes are usually more freely applied when there’s a bounty involved. And the bounty makes outside “hacking” look more legitimate, though some folks have been threatened with legal actions anyway by closed-source companies.

Most open-source projects are not strictly unpaid labors of love for their core group of developers. In fact, Ubuntu Linux is maintained by people paid by Canonical, as well as volunteers who contribute code. Microsoft also provides some funding for Canonical these days. Open-source software usually follows similar paradigms.

What is “open” about open-source is that anyone can see and change the code, with very few restrictions. What is “free” about open-source software is not just the price to the end-user, but the freedom to make these changes and to install copies without special licensing or fees. That is “free as in libre” not “free as in beer”.

-- rc primak

Reply | Quote

Notepad3 deserve a bounty chance 😀

Reply | Quote

Chris B wrote:

@rcprimak KeePass does not have an Android version. However, there are a number of add-ons written by collaborating, but I think separate, developers that pick up the KeePass database and provide the same functionality on an Android device. I use Keepass2Android, which works very well.

Copied that

 

* _ ... _ *

1 user thanked author for this post.

rc primak

Reply | Quote

This is a good idea. VLC, 7-Zip, and Notepad++ being pieces of software I use daily, I’m glad to see someone will be able to cover bug bounties for these open source programs. Although has Notepad++ ever really even gotten any security updates? Only security update I remember for it was the CIA thing.

Reply | Quote

anonymous wrote:

Although has Notepad++ ever really even gotten any security updates? Only security update I remember for it was the CIA thing.

Well, it’s not like it’s particularly high-risk software (being a single-user application with fairly little in the way of network integration), but it has been getting fairly frequent updates anyway.

Haven’t checked particularly closely if there’s been an update that’d specifically be labeled as security – but there have been fixes for other products that were labeled as security updates, that fixed similar issues to what’s been fixed in Notepad++ recently, so…

Reply | Quote

I have been involved in a FOSS project (Kodi).  The code is all available on Github, and anyone can fork it and use it subject to GPL license.  Anyone can write a PR against it, but there is a small number of devs with authority to merge a PR, and in practice there is a vetting process for potential devs.  Notepad++ (which I use)  is also on Github,  so anyone can take a look.  There has been concern about Github since Microsoft bought it, but I don’t know how much (if at all) that has changed any project’s practices.  I know there are git-support alternatives out there.   Ultimately if the EU-sponsored bounties find problems, it will be up to the devs to accept the changes or the EU will have to fork and create one-off versions for their use.

2 users thanked author for this post.

rc primak, OscarCP

Reply | Quote

For lay persons, we should clarify that a PR is a Problem Report, often a request for a change based on a discovered program error or vulnerability.

-- rc primak

2 users thanked author for this post.

OscarCP, Elly

Reply | Quote