 So, good morning everybody. My name is Stejn Jans. I'm speaking on behalf of, well actually Integrity Deloitte and the European Commission today, which is quite an honor. I'm here to basically explain you what Integrity, which is a bug bounty platform, has to do with open source software and European Commission. The presentation will take about 15 minutes more or less, so I will leave some room if you have any questions. So, let's go ahead. I don't know who is known with bug bounty. Can you just quickly raise hands, who knows bug bounty? So, I know how. All right, perfect. So, give a very, very short summary of bug bounty. Normally this takes a little bit more, but I mean everybody knows it here, which is perfect. So, when a company or a software and application wants to secure itself, then mainly what they do is they will get a consultant and they will ask a consultant, hey, can you please check my application and they will do like a five-day check, a ten-day check, a two-month check, whatever it takes, whatever the budget is, and they will ask this guy like, okay, can you please do this work for us? And that's what a security expert is, right? I mean, a security expert is a skilled person, is a creative person, today it's a flexible person, but most of the time also a quite expensive person. And the problem is that when this person is performing a security test, which is a good thing, don't get me in the wrong way, I really believe that you have to do this anyway, but the main problem is that this guy is limited in time, limited in budget, limited in skills. So how do we resolve this? Well, we resolve this by understanding what limitations of this one person are, and then replacing it by lots and lots and lots of persons to overcome all those things. But that does make the last thing also true, which is it will become a very expensive thing. So that's why we at Antiguity, Big Bounty, we believe in crowdsourced security, which means, and these are the basics, we ask people from the community to look for vulnerabilities and applications. And if we take the example of Facebook here, then we would have like one rockstar guy, which is our security guy, and he would go up to Mark Zuckerberg and tell him like, hey, you know what? I do know how to heck you. I can put something on your timeline, I can delete something, I can do whatever I want. And Mark is like, oh, really? Can you? Okay, here's a deal. I can tell you how I did it, and he will explain this all to Mark, and in return, Mark's really happy, and he's like, thank you so much, here's 1,000 euros. If it's a lot or not for Mark, that's another discussion, but here's 1,000 euros. Thank you so much, and you know what? This is a win-win situation for both ends. That's what basically Big Bounty is, and that's a service that we as Antiguity offer to the market. So we have companies, we have applications that use our platform to get in touch with the community, report vulnerabilities that are discovered, we will perform a triage on them, so we only do this in a managed way, and we will then submit these reports to the company that it belongs to. Now, we've been doing this for a few years, and last year somebody told us about EU Fossa, and this is where the European Union kicks in. EU Fossa, and well, it has a meaning, EU Fossa, it stands for European Union Free Open Source Software Auditing, which basically is a project which launched in 2015, 2016, and what they did at that time was they really wanted to do something for open source software, because the European Union is mainly using open source software for themselves, and they wanted to improve or test the security of the software. And how they did this was, first of all, they made an inventory of all the open source software that they were using, but they also reached out to the community by doing a public survey, and they were discovering which software is important for the general public. And I'll come back to that because I also brought a small slide of the results. The next thing that they did after mapping all this software was that they did a formal security audit, so they did the thing where they asked one guy like, hey, can you please do an audit on Apache HTTP server and on KeePass. And this was basically EU Fossa 1. This was their project, which they did. And the results of this are, well, they were quite positive. First of all, it had a high value for the people of the European Commission, but also for the general public. I mean, KeePass being audited was really a very good thing, and the results were very positive as well. There were code reviews, there were, the question that raised was mainly, we discovered some vulnerabilities now. What about fixing them? Because this is a main topic, like it's okay with open source that you can say like, hey, this and this and this and this is wrong, but what about fixing? So this was something that they discovered in this process like, okay, we might want to focus on this more in the future. The next thing that they discovered as well was like, okay, what about communication? Because now it was very formal, it was really steered by them, it was really driven by them, but there was not really a very strong connection to the audience. So they basically concluded that the methodology that they were using was good, but it needed a continuous cycle, and it needed to change a little bit. And I told you about the results. This was one part of their results. This was a map of the software that was used A by them or B by the general audience. And you can see things like they are like vlc, keep as 7-zip, open SSH and others. So they just made like an open source software map, which was really, really important for both ends. And this was used then to go to EU Fossa 2. And EU Fossa 2 is a project that kicked in last year. EU Fossa 2 is a project where they were like, okay, what we've been doing is okay, but we want to change the methods that we used, and we want to invest in more like a continuous security cycle instead of a one-time-shot security. And how are we going to do this? We're going to do this by running big bounties against open source software. We're going to do hacktons. We're going to create awareness. And all this only to improve open source software security. That was like the main goal. I added a small link here. If people are interested, I uploaded the slides. This is the official link to the project where you can find all the detailed information. Now about this bug bounty part. So what they did, and as a citizen, I think this is really cool. They made one million euros available for discovering and fixing vulnerabilities in the software that they identified as important. So they are really like giving away one million euros to help you guys in finding those vulnerabilities, but also in fixing them. And as a citizen, this is like the most tangible thing that I've ever seen from the European Commission for me. So I really like this project. This was proposed by several European Parliament members, and I just wanted to give them the credits by adding them to the slide here as well, because without them, this never was possible. They basically came up with the idea to do this. They pushed it forward and they got it approved. So thanks to them, we now have 15 programs that are funded with this one million euros to go to the community. And the nice thing is last point on this slide. It's not only about identifying and throwing vulnerabilities out there. It's also about proposing a fix. So what they did is they've put a value on vulnerabilities, depending on the software. I'll come back on the bounty part later on. But what they did as well is like, okay, suppose that you get 10,000 euros for vulnerability, and you bring a fix as well, which is accepted by the community. That's a very important part, accepted by the community. Then you get 20% bonus on top. Why doesn't it need to be accepted by the community? Because sometimes you have vulnerabilities, if you would fix them, then the overall performance of the software would go like down 50%. Well, that's not an acceptable fix. That's a lousy fix. You would not get 20% for that. But if it's a good fix, and the community is this great, then you would get a 20% on top. So we are working with those communities now to do this. So how did that work? Just to give you some insight in that. Basically, they launched a big bounty tender. And there were four companies worldwide that submitted their proposal towards the tender. We were lucky enough to work with our colleagues from Deloitte. We won the tender. This was a cascade system, which basically means that the second place was Hacker 1, also a very known big bounty platform. All of the projects, and these are the 15 projects that are funded, are now divided between those two platforms. You can find nine out of them at integrity, and you can find the others at Hacker 1. You can also see the maximum amount that you can earn if you find a vulnerability, a critical vulnerability. So it's not like here's a low vulnerability. I get this amount now. So the amount of money is depending on the severity of the vulnerability. This is first being triaged by us, but we are working in close collaboration with most communities. And at that point, we will discuss with the community. A, is this not a known issue? Because if it's a known issue, sorry, no can do. We cannot pay for that. B, if it is not a known issue, so it's a new vulnerability, how can we rate the criticality? How can we see the severity? And based on that, you get a set of money. That's basically how it works. And just to go over them, because it's really important, you've got KeePass, you've got Drupal, Gillette C, FileZilla, and Apache Kafka, Noipad++, Putty, VLC, FlixTL, FlixTL. Some of you might not know this. This is a software built by the European Commission themselves. And it's to basically track Versailles ships. It's maritime software. It's a transport layer. And there goes my screen. All right, cool. So it's transport layer software to communicate about where the ships are and permissions to go into international waters and all those things. So very special software. You've got Sevenzip. DSS is Digital Signature Software. PHP, Symphony, Tomcat, WSO2 also well-known and midpoint. So I think most of the projects are very well-known names. And that's basically what we are doing. We are now running these projects and they just started off three days ago. So it's very new, it's still very fresh. We had Drupal and Keepal. They started off a little bit earlier. Keepal started off on the 15th of January. Drupal started off around the 20th of January. But most projects launched around the end of January. And I'm already expecting a question. So what about reports? Yes, we are seeing reports. No, I cannot tell you anything about these reports. But yes, there is already certain input from people. So it's very positive so far. And we are now looking for more. We are really asking you guys for support and really hoping that you guys can find the time to look into the software and work with us on these projects. That's basically our main question. That's basically where we want to get. So that's what I wanted to tell today about EU Fossa, about integrity. So thank you very much for your attention but I'm really open to answer any questions if you might have some. Plenty of time for questions. Hey, I'm curious on any of these projects or don't any of them already run their own system? Are you I mean are you competing with existing bug boundaries? Or are you doing it in addition to those? I understand the question. As far as I know, I've reviewed almost all of the projects. We are not competing with any existing. So this was one of the parameters that the commission took into account. If they were running their own bug bounty meaning paying not responsible disclosure but paying bug bounty, then they left them alone. They were like, okay, this is okay. If it was responsible disclosure, then this would come on top. Yes. So certain programs like Apache, I know for sure, and there are some others as well. They already had like the security at and so on, where people could send in private vulnerabilities and they would get a they would get listed on the wall of fame or something to acknowledge what they did afterwards. But this is really like big point in the paying variant. So this is different for them. But if there was a paying system, they left it alone as far as I know again. I have a follow up. Someone else can ask. So in the case of keep us, that's a couple of projects. There's keep us X, there's keep us XC. Does this apply to all of them? No, it's just keep us the one original keep us. It's like the variants are excluded. I see. Thank you. Hey, I've done my fair share of patching from security problems like soon 100 CVs. But I'm curious about the fixing part. You said you're 20% bonus if you provide a fix, but I've handled a lot of security reports. I never get a quality fix. The one who's fixing it with quality are the ones who owns the project. So therefore, I'm curious, would that 20% be possibly handed over to another team that does the fix? No. So no, the money is not going to be pushed away to someone else doing the fix. So it's all for the person sending and submitting the report. If he also comes up with a fix that will be accepted, then yes, you will get to 20% on top. If somebody else, of course, the own team is fixing it. No, there's no 20% because I hear you and I think it's sad because it's so extremely rare that it happens. I've never basically seen it, but okay. Any other questions? Any more questions? All right. If there are no questions left, the European Union has a stand in building H if I'm not mistaken. There's some more information over there. Also some goodies over there, so feel free to go there. If not, if you can find them, just come up to me and I'm happy to give you all information as well or some goodies as well. So thank you very much.