Bug Bounty Programme: European Commission Selects American Platform HackerOne (By Guillaume Tissier, CEIS)

The EU-FOSSA programme was launched in late 2014 with two main objectives: to contribute to the development of open-source software, which is widely used by European Commission institutions, and to tighten the security of this type of software by strengthening ties between security professionals and the open-source community. The programme was created after the Heartbleed incident and managed by the Directorate-General for Informatics (DG DIGIT). Its first initiative was a pilot bug bounty programme for the KeePass password manager and the Apache HTTP Server. It identified no major vulnerabilities in either of these.

After this initial trial, it was decided to extend the programme and a €1.9 million budget was approved by the European Parliament. In June 2017, an initial call for tenders in the amount of up to €60,000 was issued for the popular VLC media player, which is installed on many European Commission computers. The outcome was surprising. The main European platforms — Yogosha, YesWeHack, Integrity and Zerocopter — all submitted tenders. Yet, the successful tenderer was HackerOne, the leading American platform. In defending its selection, the Commission cited HackerOne’s extensive community of ethical hackers (100,000 people) and its more attractive financial proposal.

HackerOne’s victory first and foremost raises a security concern: as in any bug bounty programme, the platform selected will gather together all the vulnerabilities discovered on the target software program. This is all the more worrisome as WikiLeaks has revealed how the CIA has used the VLC software program to conduct espionage operations. Even if the platform acts as a trusted third party, launching a bug bounty programme exposes flaws and carries all the usual risks of outsourcing. More than anything, though, HackerOne’s triumph spotlights the European digital market’s difficulties with the winner-take-all principle held dear by major digital platforms. Thanks to network effects, a widely dominant operator wins the lion’s share of the market while other operators fight over scraps.

HackerOne has parcelled out no less than $14 million to hackers since its inception, and has raised $40 million from the Swedish fund EQT Ventures. Its ambition to conduct operations in Europe is perfectly legitimate. At the same time, it is important to create conditions that enable its European competitors Integrity, Zerocopter, Yogosha and YesWeHack to develop. A larger-scale open call for tenders will be launched shortly by the European Commission (see prior information notice). This represents an opportunity to let European players shine.