This is a very strange distribution of projects. There are projects like VLC, Filezilla, and 7-zip, next to often mission-critical pieces of software, like Kafka, Tomcat, and GlibC. I wonder what went into the decision process to include each of these libraries.
I also dislike the 'bug bounty platforms'. Why can't I simply report it upstream, and if accepted, claim my price? Each of the projects should have CVE protocols and procedures. The idea probably is to curb the zero-day vulnerability leaks, but I assume that if you're able to find a CVE, you're capable of finding a CVE procedure.
It seems like a rather logical distribution of projects if you consider the ratio of (installed base/developer interest). The projects on this list all have massive user bases, but few of them would garner much excitement on HN and they have relatively small developer communities.
Filezilla, Notepad++ and 7-zip aren't in themselves mission-critical, but they're hugely popular products. If you can pwn an office computer or a developer workstation, you've made a crucial step towards pwning something properly sensitive. Think about the IT guy in a typical medium-sized business or a government department - what are the first things he's going to install on his own work computer? After Microsoft Office and his browser, what programs will he most often use to open untrusted files from the internet? What happens to the department if a trojan on his machine starts feeding his passwords to the FSB or the PLA?
Of these, I'm pretty sure VLC is the most common software on end-user systems - and there are enough security advisories where a well-crafted video file can execute code with user privileges (like https://www.videolan.org/security/sa1801.html ), if you can automate that you have access to many personal computers in the EU
> I wonder what went into the decision process to include each of these libraries.
The decision making process was a survey [0]. The two criteria used were (1) usage of software inside and outside the EU and (2) critical nature of the software for institutions and users.
Most probably these are tools commonly used by EU institutions which have records of bugs have causing them problems. The solution is to help fix those bugs by offering money. You are right though, I can't see how VLC can be as mission critical as Kafka.
Most police forces use VLC to view CCTV recordings and other multimedia evidence. It's an entirely logical choice of software, but it presents an obvious risk in the current climate. I would imagine that many intelligence services use VLC for similar purposes.
A nation-state adversary with a VLC RCE 0day could do some serious damage; if they also have an 0day for a popular model of CCTV DVR, they've got the keys to the kingdom. Those DVRs will never get patched and a nation-state adversary could dream up all sorts of ways to induce a police officer or an intelligence agent to play a media file, but at least we can harden VLC.
There was a bit of a scare around a 7-zip vulnerability earlier this year. [0] Turns out 7-zip is embedded inside a lot of other programs making those vulnerable too.
There's a distinction between your examples: the first ones are user tools, the latter are backend applications or libraries
My guess is that the main objective is to address user-visible bugs. While a glibc bug is certainly impactful, it is usually solvable before it gets too widespread.
(And as I much as it's "not the right way", higher level apps work around it before it is fixed)
>This is a very strange distribution of projects. There are projects like VLC, Filezilla, and 7-zip, next to often mission-critical pieces of software, like Kafka, Tomcat, and GlibC. I wonder what went into the decision process to include each of these libraries.
The EU (Brussels offices, etc) actually using them?
Sure, but there's a difference between "yea, we like 7-zip, let's put some money into it" and "yea, we use Tomcat to actually run our apps connected to the DB, might be nice if it got a bit of patching" (and funnily enough, some of the user-centric apps have more funding than some of the backend, mission-critical SW).
For me, the biggest advantage of big country programs is the ease of reporting something. Not every software has a direct security report procedure documented.
For those who wish to get credit for them, those bug country sites help too.
What if they took all the office suite licenses budget and they invested it in an open source office suite project like LibreOffice, Caligra suite (formerly KOffice) or Gnome Office.
The city of Munich tried to develop a Linux distribution "Limux" that was used for some time, but political considerations ultimately reversed the decision.
> political considerations ultimately reversed the decision
Thats a very one-sided portrayal of the situation. There were problems regarding usability, the resulting low user acceptance and issues with external MS Office files due to compatibility bugs.
If anything, funding the project for so long was a symptom of putting ideological and political considerations before user needs.
I find it very weird how even most software developers prefer MBPs with MS Office on them, but some poor souls elsewhere are supposed to do their daily work on a sub-standard platform. I mean we're still joking about the "Year of the Linux Desktop".
I think it's a stretch to say that the EU is "encouraging" such scummy practices. It's likely that they just collated a list of all software used widely by government departments within the EU -- and thus FileZilla is on the list. Ultimately, a potential 0day causing RCE within a government department is more of a concern to the EU than the optional malware you get during FileZilla's installation.
The European Commission also has additional calls out for intermediaries to re-distribute funding to open source projects (ICT24), and some of the intermediaries have their respective calls open for projects (from 5k€ to 200k€):
It isn't about promoting open source products. It's about defending against open source products that are already being used. Likely heavily used within the EU institution itself.
Is it worth spending money on Drupal considering we nowadays have anything else?
The answer is yes. The value of these bug bounty programs is directly tied to the amount of use the software gets (and most of these get used a ton, including Putty, regardless of alternatives).
Most places are not running the latest version of Windows. And even if their SOE is Windows 10 I guarantee you that their VDI isn't. And since Putty doesn't need an installer it's easy for users to install themselves even when the machines are locked down.
So given that pretty much every government/company probably has some incidental security exposure to Putty it is a smart investment to make sure it's bug free.
This is a good step, and it’s great glibc is included. In the future, I think it would be great if more critical, widely distributed libraries/software could be included like that!
Readit News
I also dislike the 'bug bounty platforms'. Why can't I simply report it upstream, and if accepted, claim my price? Each of the projects should have CVE protocols and procedures. The idea probably is to curb the zero-day vulnerability leaks, but I assume that if you're able to find a CVE, you're capable of finding a CVE procedure.
Overall, though, this is great of course.
Filezilla, Notepad++ and 7-zip aren't in themselves mission-critical, but they're hugely popular products. If you can pwn an office computer or a developer workstation, you've made a crucial step towards pwning something properly sensitive. Think about the IT guy in a typical medium-sized business or a government department - what are the first things he's going to install on his own work computer? After Microsoft Office and his browser, what programs will he most often use to open untrusted files from the internet? What happens to the department if a trojan on his machine starts feeding his passwords to the FSB or the PLA?
The decision making process was a survey [0]. The two criteria used were (1) usage of software inside and outside the EU and (2) critical nature of the software for institutions and users.
[0] https://joinup.ec.europa.eu/news/results-eu-fossa-survey
A nation-state adversary with a VLC RCE 0day could do some serious damage; if they also have an 0day for a popular model of CCTV DVR, they've got the keys to the kingdom. Those DVRs will never get patched and a nation-state adversary could dream up all sorts of ways to induce a police officer or an intelligence agent to play a media file, but at least we can harden VLC.
even glibc?
> I can't see how VLC can be as mission critical as Kafka.
VLC can run on public screens
[0] https://www.cisecurity.org/advisory/a-vulnerability-in-7-zip...
My guess is that the main objective is to address user-visible bugs. While a glibc bug is certainly impactful, it is usually solvable before it gets too widespread.
(And as I much as it's "not the right way", higher level apps work around it before it is fixed)
The EU (Brussels offices, etc) actually using them?
For those who wish to get credit for them, those bug country sites help too.
https://en.m.wikipedia.org/wiki/LiMux
Surely most of the problems with the opensource tools they were using could have been resolved by helping the opensource projects fix bugs.
Thats a very one-sided portrayal of the situation. There were problems regarding usability, the resulting low user acceptance and issues with external MS Office files due to compatibility bugs.
If anything, funding the project for so long was a symptom of putting ideological and political considerations before user needs.
I find it very weird how even most software developers prefer MBPs with MS Office on them, but some poor souls elsewhere are supposed to do their daily work on a sub-standard platform. I mean we're still joking about the "Year of the Linux Desktop".
FYI a lot of european government offices run LibreOffice.
Seems kind of bizarre the EU would encourage such practises.
Think that through. The malware that comes with FileZilla is often reported to be pretty bad.
Agreed, potential a 0 day (especially when targeted) could also have a really bad effect.
But Filezilla's malware isn't theoretical, so could really be the bigger problem.
I process was open tender from which the software projects were chosen.
https://www.ngi.eu/opencalls/https://ec.europa.eu/info/funding-tenders/opportunities/port...
It's not a very interesting target (most of these are not), but it's safe to say it's a valid target.
Deleted Comment
It isn't about promoting open source products. It's about defending against open source products that are already being used. Likely heavily used within the EU institution itself.
The answer is yes. The value of these bug bounty programs is directly tied to the amount of use the software gets (and most of these get used a ton, including Putty, regardless of alternatives).
Funding bug bounty programs kind of fail its objectives if they don't.
So given that pretty much every government/company probably has some incidental security exposure to Putty it is a smart investment to make sure it's bug free.
It's a good initiative and needs a better selection / qualification process