 Our next speaker, Marek Przybyszewski, will present the EU FOSAT2. Please welcome Marek. Good evening everybody. I will be talking about the EU FOSAT2 project. I'm Marek Przybyszewski, I'm working at the European Commission, DG Informatics Unit B3. I've been working in the European Commission for 11 years now, and for years in DG Informatics, DG. I've been a developer before, but that's just my background. So, what is EU FOSAT2 and EU FOSAT2? It all had started with the Hublit bug, which showed the world. And everybody thought, what can we do about the security of open source software? The estimated cost of this bug is some estimated as high as half a billion euro worldwide, the cost of this bug happening. So, also at the European Parliament, there were two members of the European Parliament, Julia Reda and Max Andersson, who managed to get to the difficult process of creating so-called pilot project. The Parliament has the possibility to launch pilot projects for different purposes. There are many proposals every year, and this one was one of the selected ones because of the importance of security. So, after this has been voted by the committees of the Parliament and the Parliament itself, it went for execution to the European Commission, and we nicknamed it EU FOSAT2 as every project needs to have an acronym. It was running during 2015-2016, and for this first iteration of the project, we used the tools, which we had at hand at that time, which were very easy to use, is to use existing framework contracts with the companies that are working on other projects with the European Commission already. So, the project was done by construction of companies KPMG and Tracys, and another company Everett. What did we do during this project? The project delivered a methodology, how to do code reviews at the EU institutions, how to select software for doing such code reviews, what is the criticality of the software and so on and so forth. It delivered an inventory of the European Office of Software used at the European Commission. There was a public survey done to help choosing the software to do the first code reviews, and we did two formal code reviews, so they are of key pass version 1.x and Apache HTTP server core. These were done by a hacking center of Everest. They detected some not serious problems, and then the general response was that, yes, it's nice to do this kind of project, but can we still do it better? Key pass in particular, Dominic Lach was very happy about this, that it helped the project to advance. So, EUFOSA is over, it was 2015-2016, now we are at the next stage of the project. The initial success made the members of the parliament want to continue it, and there is another one in the middle, the photo in the middle, Mariches Hake, who was here this morning, maybe some of you were in the morning keynote talk, she wanted to do background, this matched exactly the needs of how could we improve the EUFOSA, so this became a single, what is now called preparatory action. The cycle of doing things at the EU is first we have a pilot project, then we have a preparatory action, we can repeat the preparatory action, at the end it may become when it is successful and supported by the members of the parliament, may become a permanent action of the EU, so something that the EU will do continuously. So, again, after being approved by the European parliament, it went for execution to the European Commission. We started working on it in 2017, we managed to make it run for a little bit longer, so we will not run it in just 2 years, but now 3 years 2017 to 2019. As you can see, the budget is higher, 2.6 million euros for this time. With this budget, we can do much more and explore some new ideas. So, the first thing to explore, and that's, I think, very cool to do, is background this. There are some people who say that it's not maybe the best way to address the security of office or such, but I think it does pretty well the job. We had a chance to already try it once, as this is something that the European institutions never did before. The European institutions never paid any researchers or hackers for finding bugs in software. So, this was launching this test drive, as it is called in the slide. This proof of concept took us 5 months, more or less. We audited this way the VLC, and following a mini competition, a mini tendering process, out of 6 companies that have been, we chose Hacker 1 for this trial. So, what did we deliver? As I said, this is the first time the EU institutions did such a thing. The bounty program lasted for 6 weeks. There were 28 participants, and the 5 bounties have been paid. So, after all this preparation, we managed to prove that this is an approach that works. This was also thanks to the great collaboration with VLC. The team there was very active and very happy to receive this kind of support, and they used the Hacker 1 platform to work with this project. There's 28 participants. You can see a little graph of the participation on the right of the slide. So, what next? After we did this proof of concept, before it even finished, we started preparing what is called for tenders. That's a formal procurement process, where if the EU institutions want to spend large amounts of money, there needs to be a fair process to assess all the companies that would like to do a certain activity, and then choose the best ones. We are now at the end of preparing the text of the call for tenders. What I can say about it, before it is published, that there is 1.6 million Euro budget foreseen for that action alone. We intend to have more than 20 different projects audited this way. We are targeting critical open-source software, and there will be some high rewards included in the process, as we also want to try to target very high-profile projects looking for security vulnerabilities, like, for example, encryption algorithms. More information, if there are companies that are interested to participate in this call for tenders for offering the service of back-counting, there is an official page down in the slide. It's called prior information. For the time being, about the call for tenders, I'm not allowed to say much more, because everybody has the right to receive the information at the same time, and so on and so forth. This is very formal process, but I have to stop here. What else do we plan to do in the EU FOSATU is try another approach for a project which is distributed around the world. Maybe they have never had the opportunity to meet in person, bring them together, let them work, and maybe a project that has outstanding security-related problems, like architectural problems in a project that cannot be fixed without them meeting together, invite them all to Brussels, let them work for some days, and this way, maybe, arrive at the conclusion, at a way to solve properly outstanding security problems. This is planned for November 2018, more or less. Also, what we want to do is bring more awareness about the project itself, so there will be more communication, it should happen very soon. We want to bring more also, that was requested by the MEPs, to bring also more awareness about the importance of the software security in general, and in the context of open source software. And also, we want to have a professional company to listen to all the reactions that are there, and then to adjust the project as it goes, so that we can do the best out of it. What's the ultimate goal of the project? It's to try different methods of addressing the security of the free and open source software used at the EU institutions. And at the same time, invest into the security of, make this a permanent action, that's the goal. So we are trying different approaches, we tried formal code reviews, we are trying now, we want to try the hackathon, we can also try other things still in 2019, to find the best way how the EU institutions can invest in the security of open source software. And on the way there, we hope that we will be already improving the security of open source software, as there will be maybe some vulnerabilities found and fixed. So that's it for me about the project now. The core of the project will be executed during the second half of 2018 and third half of 2019. We are still preparing a lot of things to make it happen. If you have any ideas, please use the email address that is on the slide. Please watch the join-up page that will start to get live soon. Currently, it is still containing information about the EU for one project. You can find the information about that project, the deliveries of that previous project and so on and so forth. Thank you very much. I would like to use the occasion to thank Pierre, who is sitting here, who just after 25 years in the commission he just retired and he was helping a lot in this project. He was behind the open source software strategy of Digit in 2000 already. So I would like to thank him very much for the work. It was really a pleasure to work with him. I don't know if there is also a full-time project manager that joined us in December just for this project. So I am managing several projects at the same time. I am sure that this will make the project run much, much faster. Thank you very much. The question was how many open source software projects that are used in the commission did we manage to study and if we want to extend it to other public administrations. We have time for questions? Yes, five minutes. So the only two projects that were reviewed by the KeePass and Apache HTTP server core, now VLC also using the bug bounties, there will be more in the future. We want to have more institutions involved in the project, but if we look at the different software projects that are used in different institutions, I am sure that we will cover most of the software used in all the public administrations. So if you have more questions, I will be hanging out here around the door. There is the time inside.