Stories
Slash Boxes
Comments

SoylentNews is people

EU To Fund Bug Bounty Programs For Some Open-Source Projects

posted by takyon on Sunday December 30 2018, @07:14PM   Printer-friendly
from the euro-signs-for-eyes dept.

janrinok writes:

Arthur T Knackerbracket has found the following story:

The European Union will foot the bill for bug bounty programs for 14 open source projects, EU Member of Parliament Julia Reda announced this week.

The 14 projects are, in alphabetical order, 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, midPoint, Notepad++, PuTTY, the Symfony PHP framework, VLC Media Player, and WSO2.

The bug bounty programs are being sponsored as part of the third edition of the Free and Open Source Software Audit (FOSSA) project.

EU authorities first approved FOSSA in 2015, after security researchers discovered a year earlier severe vulnerabilities in the OpenSSL library, an open source project used by many websites to support HTTPS connections.

Announcement.

Original Submission

 
This discussion has been archived. No new comments can be posted.
EU To Fund Bug Bounty Programs For Some Open-Source Projects | Log In/Create an Account | Top | 26 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by fyngyrz on Monday December 31 2018, @04:44PM (2 children)

    by fyngyrz (6567) on Monday December 31 2018, @04:44PM (#780300) Journal

    With closed source software you have to trust the sole provider to not put anything in that you don't want.

    Same with open source. Have you read every line of every bit of open source you've ever used? Even if you have, do you think everyone has? Do you think they all understood what they read? The argument that "it's open, so it's safer" depends on underlying assumptions that are very rarely true.

    With open source software, you have the option to either look for yourself

    The option isn't the fact.

    pay someone whom you trust to do it for you.

    Again, extremely rare. Particularly in a community that is biased so strongly against paying for any aspect of software. OTOH, the business who writes closed source software is already paying someone to look into the issues that concern it; and security issues are becoming more important as liabilities stack up against these operations.

    Which is a big deal, because the goals of someone outside the company providing the software likely has different goals than the company, while someone inside that company is bound to act in the interest of that company.

    Step back for a moment and think about what those interests are:

    • Sell the product initially
    • Sell upgrades
    • Get and maintain a market position to continue doing this

    It appears — to me — that accomplishing the above requires attention to problems.

    Now consider the open source authors. Suppose the thing doesn't work right. They're not making any money. They are, presumably, doing something else to make money. So where do their priorities lie?

    For instance, take the Rocketchat developer install. [rocket.chat] It straight-up doesn't work. I've had problem reports in to them for months now. No response. I mean no response. Zero. Zip. Nada.

    Or, take the Qt [www.qt.io] project, which is interesting because it's both open source and commercial. You'd think that'd give them the best of both worlds, right? Motivation to fix, because they are making some money, and all those eyes helping out.

    But no. That project is as buggy as a New York slum apartment. Crashes, serious memory leaks, APIs with holes in them you could drive a big truck [youtube.com] through. It has been since version four. Report bugs, they often don't get fixed. The project is either too large for them to address the problems with the people they have available, or they simply don't care, you decide. But the bottom line is, the thing is broken all over the place. Believe me, I know; I've been using Qt since version 4.6.

    Now magnify that times no financial motivation. Ouch.

    Still, overall, they fix more than, for instance, the rocketchat people do.

    Look. I'm not saying all open source is buggy and non-fixable. It's not. I'm also not saying corporations are the only way to make good software. I'm just saying that one the one hand, there are accountable motivations; and on the other, there aren't. The evidence shows that corporations are not entirely bad at software. It also shows that open source folks are not entirely good at software.

    My conclusion is that neither way is optimum, and a fan of either way is really not in a position to cast any stones.

    --
    Calculus... the agony and dx/dc.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 1) by khallow on Monday December 31 2018, @06:40PM

    by khallow (3766) Subscriber Badge on Monday December 31 2018, @06:40PM (#780342) Journal

    It appears — to me — that accomplishing the above requires attention to problems.

    Or burying problems so the customer doesn't hear about them. Conflict of interest is a thing.

  • (Score: 2) by Pav on Tuesday January 01 2019, @12:33AM

    by Pav (114) on Tuesday January 01 2019, @12:33AM (#780450)

    Do you work in I.T?

    Commercial providers (unless they have a ready fix) ALWAYS DENY a problem is known, or that anyone else is having the same problem... it's INDUSTRY PRACTICE! I've even been gaslighted in this way EVEN WHEN I'd spoken to other customers who had confirmed the problem (and also said they'd been given the same runaround by technical support). Free Software people are easy to deal with in comparison, and if there are no resources to quickly deal with a simple problem one can deal with it oneself.