As part of improving its own internal IT security, the European Parliament has taken a welcome step: a so-called bug bounty Program to encourage hackers and other specialists ("Researcher") to investigate the also used in Parliament VLC player for vulnerabilities. The whole course is done in consultation with the developer of the software and throws for reported security vulnerabilities even financial compensation. For this purpose, the program is handled via the "hackerone" platform.
There the tender is described as follows:
Bug Bounty Program VLC Player
EUFOSSA Directory Page:
The European Parliament has approved the budget for improving the EU's IT infrastructure by including the free software security audit program (FOSSA) and by including a bug bounty approach in the program.
The Commission intends to conduct a small-scale "bug bounty" activity on open-source software with companies already operating in the market. The scope of this action is to:
- Run a small-scale "bug bounty" activity for open source software project or library for a period of two months maximum;
- The purpose of the procedure is to provide the European institutions with open source software projects or libraries that have been properly screened for potential vulnerabilities;
- Hunters, while staying in-line with the existing
- Terms of Service for the bug bounty platform.
About the Program
The VLC program is private
In conjunction with the VideoLAN team we are trialing the VLC application on a bug bounty program. We invite hackers and bounty hunters (aka researchers) based on a variety of factors – reputation, previous track record (high quality reports) on our previous public program, word of mouth and many other factors. The selection is completely at the discretion of the VLC team until such time as we go public.
Our bounty policy
Qualified security vulnerabilities will be rewarded based on severity and impact, to be determined by the VLC security team. Rewards may range from $ 100 up to $ 3,000. Reward amounts to vary based on the severity of the reported vulnerability and eligibility at VLC sole discretion.
The purpose of the whole action is to report any gaps and faults that may exist, and not to directly expose every vulnerability to the public, risking it to be used immediately for malicious attacks. For two months, all participants interested in the error hunt now have the opportunity to award a portion of the allocated budget as a reward – everything in terms of security, of course.
(via the standard)
-> To the article European Parliament opens bug-bounty program for the VLC player
-> To the blog Caschys Blog
Our feed sponsor: