| EU Commission Reactivates Bug Bounties |
| Written by Nikos Vaggalis |
| Monday, 11 August 2025 |
|
After a period of inactivity, the EC Open Source Programme Office (EC OSPO) has awarded a contract for organizing bug bounties on open source software. We've tackled the subject of the EU looking after OSS security a few times in the past. It was almost three and a half years ago, in 11 February 2022 that an EU bug bounty program had been launched, covered in European Union Will Pay For Finding Bugs In Open Source Software. Here's an extract from that piece to refresh memories: Open Source Software powers everything, from modern servers, to IoT, to the desktops at work and, as it seems, is at the heart of European Union systems too. While this EU bug bounty initiative is welcome, it is not something new; I covered the origins of the program in 2019, see "EU Bug Bounty - Software Security as a Civil Right". Rolling back to 2019 and the aforementioned article: A State-sponsored bug bounty comes as refreshing news in that it shows that amongst the bureaucrats there are tech savvypeople who understand the true value of OSS software to society, and as such the impact when its security goes wrong. This EU initiative is part of the Free and Open Source Software Audit (FOSSA) project, thanks to Julia Reda MEP of the EU Pirate Party, who started the project thinking that enough is enough after severe vulnerabilities were discovered in key infrastructure components like OpenSSL. This prompted her to involve the EU Commission in contributing to the security of the Internet. That is, the whole initiative was launched just because of the OpenSSL bug Heartbleed. This time, in 2025, the EU Commission has found the funds, almost 8 million euros, to sponsor yet another bounty on critical open source software used by European public services. And while the bug bounties organized thus far were about public OSS software this time the Commission wants internal projects audited for vulnerabilities as well. The OSS software that's going to be audited is not disclosed yet, but we can guess from previous experience. In "The German Government's Sovereign Tech Fund For OSS" we explored another initiative by the German Federal Government to strengthen the important role Open Source Software plays in modern society, by auditing OSS that public services use across the European Union. That list was comprised of:
Then in 2024, in Is The German State In Love With OSS?, we examined the German state launching openDesk, "the sovereign workplace": openDesk, aims to become an alternative in the field of workplace software for the German Public Administration, under the ultimate motive of achieving digital sovereignty. Using openDesk, employees, IT administrators and public transport operators will have an effective open source based alternative in the workplace environment, therefore allowing the state to cut costs by not being held hostage in paying absurd amounts of fees to big corp software packages. Practically, these categories are utilized through the following software included at the time of writing :
And the push for establishing an EU wide adoption of OSS didn't end there. Last year the German state was again a driving force behind the initiative, as reported in One State's Quest For Digital Sovereignty, to move 30,000 PCs to LibreOffice. This new attempt of moving to LibreOffice is putting yet another stone on the path to the State's digital sovereignty campaign. Specifically, the federal state of Schleswig-Holstein has decided to move from Microsoft Windows and Microsoft Office to Linux and LibreOffice, starting with the migration of 30K PCs. The official statement explains the rationale of the move: With a cabinet decision to introduce the open-source software LibreOffice as a standard office solution across the board, the government has given the starting signal for the first step towards complete digital sovereignty for the country, with further steps to follow. Ensuring digital sovereignty is at least as important as energy sovereignty. This cannot be achieved with the current standard IT workplace products and the switch to open source solutions is an important building block towards maintaining digital sovereignty. The use of open source software also benefits from improved IT security, cost-effectiveness, data protection and seamless collaboration between different systems. All this push towards an open source society might finally fulfill a vision of mine, as examined in EU Bug Bounty - Software Security as a Civil Right, to consider OSS security as as a civil right to be enjoyed by every EU citizen: In the scheme that Julia Reda pushes forward, mission-critical OSS applications' audits should be state funded in order to serve the wider good. In other words, Software Security as a Civil right. Finally the tender has come to a close and two 48-month contracts have been awarded; one to French-based YesWeHack and one to Belgium-based Intigriti. We'll keep you updated of anything new that emerges.
More InformationRelaunch of Commission open source bug bounties programme Related ArticlesEuropean Union Will Pay For Finding Bugs In Open Source Software EU Bug Bounty - Software Security as a Civil Right The German Government's Sovereign Tech Fund For OSS One State's Quest For Digital Sovereignty Is The German State In Love With OSS?
To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin. 
Comments
or email your comment to: comments@i-programmer.info |
| Last Updated ( Monday, 11 August 2025 ) |
