News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • EU is going to fund a bug bounty program for 7-Zip, KeePass, Notepad++, VLC Media Player and more

    Posted on December 30th, 2018 at 08:23 woody Comment on the AskWoody Lounge

    Bug bounty programs — where software bug catchers get rewarded for identifying security holes and disclosing them to the manufacturer — have proven popular and worthwhile, although they do have some downsides.

    Bug bounty programs are usually carried out by software manufacturers, who pay to have a chance to fix their mistakes before the bad guys have a chance to clobber their products.

    Folks who make open source software don’t have the same presumably-deep pockets as their commercial counterparts. When it comes to bug bounty programs, there’s no bounty to tap.

    Enter the European Union. As part of the Free and Open Source Software Audit project, EU will offer bug bounty programs for several Windows products I use all the time — 7-Zip, KeePass, Notepad++, VLC Media Player — and a bunch of products that I may use indirectly, including Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), midPoint, PuTTY, the Symfony PHP framework, and WSO2.

    As Catalin Cimpanu explains on ZDNet:

    Starting with January, security researchers and security companies can hunt vulnerabilities in these open source projects and report them to the bug bounty programs… in the hopes of a monetary reward, if the bug report is approved and results in a patch.

    If that helped, take a second to support AskWoody on Patreon

    Home Forums EU is going to fund a bug bounty program for 7-Zip, KeePass, Notepad++, VLC Media Player and more

    This topic contains 22 replies, has 14 voices, and was last updated by

     OscarCP 3 months, 3 weeks ago.

    • Author
      Posts
    • #243184 Reply

      woody
      Da Boss

      Bug bounty programs — where software bug catchers get rewarded for identifying security holes and disclosing them to the manufacturer — have proven
      [See the full post at: EU is going to fund a bug bounty program for 7-Zip, KeePass, Notepad++, VLC Media Player and more]

      9 users thanked author for this post.
    • #243187 Reply

      rip
      AskWoody Lounger

      That’s a great idea! I would suggest adding some others such as Python and VeraCrypt (successor to TrueCrypt).

      Given the poor state of laws and regulations in the USofA it is nice to see the Europeans picking up the slack.

    • #243201 Reply

      rc primak
      AskWoody_MVP

      Perhaps off-topic here, but…

      Would this bounty program only apply to the Windows versions of these free programs?

      Most of these titles have Linux versions as well, and no one gets paid a license fee or a subscription fee for those versions either. I don’t know if any of these titles also have Apple MacOS, Android or iOS versions, but wouldn’t these versions also qualify, if the program were being fair and balanced?

      -- rc primak

      • #243203 Reply

        b
        AskWoody Plus

        Nothing in the linked article or announcement says “Windows”.

        FOSSA 2 for VLC Media Player (proof of bug bounty concept) last year said, “All desktop platforms are concerned by this program.”
        https://hackerone.com/vlc

        Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker Saluted blockhead "Finger sharpener" (Group ASAP) WX1903

        4 users thanked author for this post.
      • #243205 Reply

        Chris B
        AskWoody Plus

        @rcprimak KeePass does not have an Android version. However, there are a number of add-ons written by collaborating, but I think separate, developers that pick up the KeePass database and provide the same functionality on an Android device. I use Keepass2Android, which works very well.

        Chris
        Win7 Home Premium 64 bit Group A

        • This reply was modified 3 months, 3 weeks ago by
           Chris B.
        3 users thanked author for this post.
    • #243204 Reply

      OscarCP
      AskWoody Plus

      It looks like the EU will be paying people to do the kind of job that MS used to pay people to do. Not such a bad deal for MS, I would imagine.

      1 user thanked author for this post.
      • #243210 Reply

        b
        AskWoody Plus

        These apps were never connected with Microsoft, so no relevance.

        Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker Saluted blockhead "Finger sharpener" (Group ASAP) WX1903

        3 users thanked author for this post.
        • #243217 Reply

          OscarCP
          AskWoody Plus

          I stand corrected. I really should have read the commentary in ZDNet first…

          So for those at the EU in charge of FOSSA, Putty is  going to be at the top of their list?

          That could be good news as, same as so many others out there, I use it (or VPN) for remote login with a secure connection to the computers of those I work with in common projects. If one of us is hit through a vulnerability created by Putty, then all of us can be in trouble.

          1 user thanked author for this post.
    • #243213 Reply

      warrenrumak
      AskWoody Plus

      There’s a “They’re paying for Drupal security vulnerabilities? That might bankrupt the EU!” joke in there somewhere.

       

    • #243239 Reply

      MW
      AskWoody Plus

      What happened to the open source communities mantra that “it’s open source, everyone can see the code” philosophy?  Why aren’t all these volunteers and advocates finding the bugs.

      Now the taxpayers get to foot the bill to pay these white hat hackers.

      Knowing how Governments operate, I’m not sure this is a road we want to travel…  As soon as they start throwing other peoples money at something, they can start demanding they have a say on how things are done.

      Do we really want that..? We all know how things work oh so well when Government busy bodies start meddling.

      W7 & W8.1 - Group W
      Mac Sierra - Group A
      Mint Cinnamon - Group A

      3 users thanked author for this post.
      • #243257 Reply

        Ascaris
        AskWoody_MVP

        What happened to the open source communities mantra that “it’s open source, everyone can see the code” philosophy? Why aren’t all these volunteers and advocates finding the bugs.

        That was always a relative thing, not an absolute.  It was an argument in favor of open source in the debate between closed source and open source– not a silver bullet that will forever banish bugs. Compared to closed-source, open-source has more eyes on the code, and that increases the odds of a bug being detected.  It doesn’t mean that every one will be found within a given period of time, just as the closed-source method doesn’t mean that bugs will always be found either.  Since closed-source software has been using bug bounties for a while now, you could just as easily ask about why the closed source method, with all of its resources and centralized authority and professional developers, isn’t finding the bugs.

        That said, I agree that this is not something I’d want any government entity getting involved in for the reasons you mentioned.  It seems harmless enough and benevolent right now, but there’s no way to know what happens in the future.  Will there be expectations of quid pro quo?

        This topic already has an element of politics in it since the EU is by nature a political entity, but this is one we’re going to have to be careful with, given that askwoody.com is not about politics and has a low tolerance for discussions of political matters outside of the designated area.

        Group "L" (KDE Neon User Edition 5.15.4 & Kubuntu 18.04).

        4 users thanked author for this post.
        • #243397 Reply

          OscarCP
          AskWoody Plus

          Ascaris: “That said, I agree that this is not something I’d want any government entity getting involved in for the reasons you mentioned.  It seems harmless enough and benevolent right now, but there’s no way to know what happens in the future.  Will there be expectations of quid pro quo?

          I am probably missing something here, because I can’t see a problem with the EU paying bounty hunters and publishing their recommendations to help out developers that cannot afford to do it themselves, but cannot be forced to apply the recommendations, although it might be overwhelmingly in their interests to do so (it could be bad PR to do otherwise). It looks to me like this is aimed at improving the safety of computing, something that is increasingly crucial to the proper workings of our progressively more connected civilization. Therefore, I see this as an in-the-public-interest activity of the kind expected from a public regulatory entity (the EU in this case), an activity that, in this case, is not obvious (to me) how it could be made to interfere with the rights of people to develop software and, or use their computers as they might choose. However, the quoted paragraph implies some kind of unspecified potential for abuse of authority. This is probably a question worthy of further discussion, here or elsewhere.

          • #243444 Reply

            Ascaris
            AskWoody_MVP

            am probably missing something here, because I can’t see a problem with the EU paying bounty hunters and publishing their recommendations to help out developers that cannot afford to do it themselves, but cannot be forced to apply the recommendations, although it might be overwhelmingly in their interests to do so (it could be bad PR to do otherwise).

            I can’t go any farther without delving into the realm of politics more than I think would be allowed here.  Things like the role and nature of government, that sort of thing.

            It looks to me like this is aimed at improving the safety of computing, something that is increasingly crucial to the proper workings of our progressively more connected civilization.

            As they say (more or less), the road to Hades is paved with good intentions.  Lots of things look that way at first glance.

            Therefore, I see this as an in-the-public-interest activity of the kind expected from a public regulatory entity (the EU in this case), an activity that, in this case, is not obvious (to me) how it could be made to interfere with the rights of people to develop software and, or use their computers as they might choose.

            I am not convinced of the desire or capacity for any regulatory agency to work (continuously and exclusively) in the public interest.  It may start out that way, but things have a way of getting worse when governments get involved.

            It’s not hard to envision how this could be a first step in a lot more EU involvement in open source software, and when later on they have a “request” to make of a given project that may be headquartered within the EU, the various humans within the EU could feel as though they’re owed something, and they may well have the backing of their constituency in taking action to get what they think they should have.

            While an open-source project can simply shrug off such a request from the likes of Microsoft, governments with actual power are different. Open source projects aren’t exempt from regulations simply because they’re open source.

            If those open-source projects become dependent on subsidies for their existence, they’re no longer autonomous.  That bit is an issue of private funding of open-source projects as well; Mozilla’s alleged dependence on Google subsidies for making the Google search engine the default one are cited by some as the reason why Mozilla is letting Google call the shots every which way in terms of what a browser is supposed to be, rather than fighting them tooth and nail as they did with Microsoft back in the IE6 days.  Is it true?  I have no idea… but it’s plausible that this effect exists and plays a role.  Sometimes it is wise to look a gift horse in the mouth.

            I’m not saying this is for sure completely bad… only that there be dragons here, and these are the type of dragons I give a wide berth.

            Sorry for all of the idioms, but I’m trying to stay on the good side of the line here!

            However, the quoted paragraph implies some kind of unspecified potential for abuse of authority. This is probably a question worthy of further discussion, here or elsewhere.

            When you’re talking about this kind of dragon, unspecified potential for abuse of authority is more than enough reason to say no and have it never become an issue, potential or otherwise, IMO.

            Ultimately, if they have the cooperation of the various projects, then I would defer to the various project managers and support the decision… they know their code and their propensity to find bugs, and if they think such a bounty funded by a government entity is a good idea, I am not about to tell them they’re wrong.  Given what I know of FOSS people, they probably harbor the same concern over the fear of hidden strings that come with the generous contributions, so if they’re on board even with that in mind, all I can say is I hope they are right.  The source article at ZDNet did not say whether the bounties are being offered with or without the full acceptance and support of the projects involved.

            Group "L" (KDE Neon User Edition 5.15.4 & Kubuntu 18.04).

            2 users thanked author for this post.
            • #243528 Reply

              OscarCP
              AskWoody Plus

              Ascaris: You make some good points, but some of what you wrote here is based on what ifs and maybes. One could also play this guessing game about the role of the government’s Centers for Disease Control and Prevention, or NASA, or the Social Security Administration, but I doubt that there will be many of us concerned enough about these being potential threats to our freedoms to follow suit. In fact, there is no present evidence that the EU bounty initiative is a threat to open source developers. And if they became dependent on money from their bounty hunting for the EU, that would be their own fault, and not a very likely thing, in my opinion, as the Open Source movement has been doing quite well so far without any such bounties.

              What I see as a more concrete danger is that the repeated large-scale cyber attacks already happening against users of open source software, including those whose activities are critical to finance, safety-of-life and national security, might prompt actual politicians in actual governments to clamp down with harsher regulations on the activities of open source developers, which would be a really bad thing.

      • #243277 Reply

        Paul T
        AskWoody MVP

        Knowing how Governments operate, I’m not sure this is a road we want to travel… As soon as they start throwing other peoples money at something, they can start demanding they have a say on how things are done.

        Free open source software is not something an outside body can direct. The developers decide if they want something and it’s up to users to decide if they want to use it. If an external body said “we won’t use it unless…” the developers would say, “OK, don’t use it”.

        Spending money on research is always a good thing, who knows what benefits will accrue from the results of looking at stuff. (Although in this case no money may be spent if no bugs are found / patched.)

        cheers, Paul

        2 users thanked author for this post.
      • #243430 Reply

        anonymous

        My own, not always humble, opinion agrees with both @mw and @ascaris. But I hold my opinion as a US citizen who views government as restricted by our Constitution. I also recognize the limited influence of my opinion and my Constitution upon the affairs of the EU. If Brussels posts a bounty, it is not for me to debate. I may even benefit from any resulting bughunts.

        They have a system different than the US. The governed appear more comfortable with this form of nationalized industry. I’m willing to defer to their desires, and hope they respect our methods as well.

      • #243490 Reply

        rc primak
        AskWoody_MVP

        What happened to the open source communities mantra that “it’s open source, everyone can see the code” philosophy? Why aren’t all these volunteers and advocates finding the bugs.

        Quite simply, money draws more eyes and greater effort.

        We all know that money brings out more security testers than any feelings of dedication or duty toward a cause or a concept. So, whenever bounties are offered, more bugs get exposed faster than if no one is offering money for the work of testing for vulnerabilities. No one likes to work for free, not even for an open-source project.

        This is also true of “closed-source” software. Outside eyes are usually more freely applied when there’s a bounty involved. And the bounty makes outside “hacking” look more legitimate, though some folks have been threatened with legal actions anyway by closed-source companies.

        Most open-source projects are not strictly unpaid labors of love for their core group of developers. In fact, Ubuntu Linux is maintained by people paid by Canonical, as well as volunteers who contribute code. Microsoft also provides some funding for Canonical these days. Open-source software usually follows similar paradigms.

        What is “open” about open-source is that anyone can see and change the code, with very few restrictions. What is “free” about open-source software is not just the price to the end-user, but the freedom to make these changes and to install copies without special licensing or fees. That is “free as in libre” not “free as in beer”.

        -- rc primak

        • This reply was modified 3 months, 3 weeks ago by
           rc primak.
    • #243247 Reply

      abbodi86
      AskWoody_MVP

      Notepad3 deserve a bounty chance 😀

    • #243270 Reply

      Fred
      AskWoody Lounger

      @rcprimak KeePass does not have an Android version. However, there are a number of add-ons written by collaborating, but I think separate, developers that pick up the KeePass database and provide the same functionality on an Android device. I use Keepass2Android, which works very well.

      Copied that

       

      1 user thanked author for this post.
    • #243282 Reply

      anonymous

      This is a good idea. VLC, 7-Zip, and Notepad++ being pieces of software I use daily, I’m glad to see someone will be able to cover bug bounties for these open source programs. Although has Notepad++ ever really even gotten any security updates? Only security update I remember for it was the CIA thing.

      • #243286 Reply

        mn–
        AskWoody Lounger

        Although has Notepad++ ever really even gotten any security updates? Only security update I remember for it was the CIA thing.

        Well, it’s not like it’s particularly high-risk software (being a single-user application with fairly little in the way of network integration), but it has been getting fairly frequent updates anyway.

        Haven’t checked particularly closely if there’s been an update that’d specifically be labeled as security – but there have been fixes for other products that were labeled as security updates, that fixed similar issues to what’s been fixed in Notepad++ recently, so…

    • #243360 Reply

      anonymous

      I have been involved in a FOSS project (Kodi).  The code is all available on Github, and anyone can fork it and use it subject to GPL license.  Anyone can write a PR against it, but there is a small number of devs with authority to merge a PR, and in practice there is a vetting process for potential devs.  Notepad++ (which I use)  is also on Github,  so anyone can take a look.  There has been concern about Github since Microsoft bought it, but I don’t know how much (if at all) that has changed any project’s practices.  I know there are git-support alternatives out there.   Ultimately if the EU-sponsored bounties find problems, it will be up to the devs to accept the changes or the EU will have to fork and create one-off versions for their use.

      2 users thanked author for this post.
      • #243492 Reply

        rc primak
        AskWoody_MVP

        For lay persons, we should clarify that a PR is a Problem Report, often a request for a change based on a discovered program error or vulnerability.

        -- rc primak

        2 users thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: EU is going to fund a bug bounty program for 7-Zip, KeePass, Notepad++, VLC Media Player and more

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Cancel