Join the Bug Resilience Program and get support for vulnerability management!

We are excited to announce that applications are now open for the Bug Resilience Program (BRP), aimed at enhancing the resilience of critical free open source software (FOSS) infrastructure against vulnerabilities. This program is a prime opportunity for contributors and maintainers to get some additional support with managing vulnerabilities in the critical FOSS projects they are working on.

Our lives heavily depend on digital infrastructure, often without us realizing it — until issues arise. Undiscovered vulnerabilities in critical FOSS infrastructure such as in the case of Heartbleed and Log4Shell have caused significant disruptions and damage on a wide scale. Proper vulnerability management practices can help reduce the impact, quantity, and scope of such vulnerabilities, however they require time and effort that the maintainers of the infrastructure projects might not have.

Conceptualized and launched in 2023, based on feedback from experts and FOSS infrastructure projects, the Bug Resilience Program brings together critical FOSS projects with expertise in the form of implementation partners to help manage vulnerabilities in our critical infrastructure. The program is open to open digital infrastructure technologies, such as libraries and standards, which are openly accessible and free to use.

The BRP is based on a holistic and preventative approach to vulnerability management, aiming to increase a FOSS project’s resilience to potential vulnerabilities. For example, by supporting activities such as reducing technical debt (restructuring code to be more easily maintained) BRP helps improves maintainers’ capacity to respond to bugs. Improving maintainers' ability to respond and resolve leads to simpler bugs being fixed or at least acknowledged. Combining this with a bug bounty program or a code audit allows security researchers to focus on discovering vulnerabilities that are more difficult, therefore maximizing the effectiveness of such programs.

Currently, BRP offers three services to FOSS infrastructure projects.

1. Direct Contributions

Our partner Neighbourhoodie Software offers various contributions to participating projects, addressing known issues, enhancing documentation, and reducing technical debt. Many FOSS maintainers are aware of vulnerabilities but lack the capacity to address them. By improving documentation and reducing technical debt, we help maintainers focus on security improvements and increase the quality of external contributions.

2. Bug & Fix Bounty Platform

In collaboration with YesWeHack, the BRP offers bounty programs for selected FOSS projects. These programs incentivize the discovery of vulnerabilities and compensate projects for the time spent addressing these issues. YesWeHack provides access to security researchers and assists with triage and verification of vulnerability reports. BRP also offers “fixing” bounties for each responsibly reported and fixed vulnerability, to ensure that participating projects always have the capacity to address emerging issues.

3. Secure Code Audits

Partnering with the Open Source Technology Improvement Fund, BRP offers security reviews for critical software components like cURL, Jackson, and LLVM. These audits help maintainers proactively assess their code's security posture and address high-risk vulnerabilities before they can be exploited. Given budget limitations, we’re only offering secure code audits to a limited number of participating projects, where it makes most sense.

The Bug Resilience Program is specifically seeking applications from critical FOSS infrastructure. Visit our program page for detailed information on the application process and criteria. We review applications on an ongoing basis, and applications that meet the criteria will be invited to join BRP on a first-come, first-serve basis.

Join in the Bug Resilience Program to contribute to creating secure, resilient software systems. Apply now and join us in our mission to enhance software resilience and security. For more information, please write info@bugresilience.de

If you are a funder or a vulnerability management expert who would like to collaborate with the BRP, please email partnerships@bugresilience.de

We look forward to your applications and to building a more secure digital world together!