Bug Bounties and FOSS: Opportunities, Risks, and a Path Forward
Bug bounty programs have long been used by industry to help incentivize reporting of dangerous vulnerabilities in software, but how effective are they in making our open source critical infrastructure safer?
What should decision-makers pay attention to when developing such programs in the public interest?
On 30 Sep 2024, Dr. Ryan Ellis will present his research report that answers these questions and more.
Join us for an evening marking the publication of the research report by Dr. Ryan Ellis titled “Bug Bounties and FOSS: Opportunities, Risks, and a Path Forward,” commissioned as part of the Bug Resilience Program.
The event explores the critical role that the public sector plays in enhancing the security of digital infrastructure through vulnerability disclosure programs. The keynote speakers, Sabine Grützmacher (MdB) and Dr. Ryan Ellis (Northeastern University), will provide their perspectives on the current landscape and future directions for public bug bounty initiatives.
The event also features interactive artistic interventions by Sasha Dorofeev + Jona Wolf and bleeptrack, exploring the themes of bugs, vulnerability, and infrastructure.
Bug Bounties and FOSS: Opportunities, Risks, and a Path Forward
The research examines how bug bounty programs can enhance the security of free and open source software (FOSS) projects, while highlighting the challenges and potential pitfalls of implementing such programs. It explores the conditions under which bug bounties are most effective, the unique difficulties faced by FOSS in maintaining security, and offers recommendations for deploying bug bounties in a way that supports the broader FOSS ecosystem ethically and sustainably.
Public Sector’s Role in Public Bug Bounty Programs
A panel discussion on the “Public Sector’s Role in Public Bug Bounty Programs” will delve into the risks and opportunities of publicly funded security measures for open source projects, drawing on the key findings from Dr. Ellis’s report. Joining Dr. Ellis on the panel will be Amir Montazery from OSTIF, Yona Raekow from BSI, Lars Francke from Stackable, and Dr. Aïmad Berady from YesWeHack. The panel will offer the attendees a chance to hear reflections on the report findings from expert perspectives.
Due to limited capacity, this event is by invitation only. Please refer to your invitation email for the link to RSVP and your unique registration code. Registration for the event is available on a first-come, first-served basis. If you are unable to attend, we request that you cancel your registration.
If you did not receive an invitation, and are an interested policymaker, researcher, or industry professional in the field of cybersecurity and open source software development, please feel free to contact us: bugresilience@sovereigntechfund.de
Agenda (Preliminary)
30 September 2024
17:30 | Arrival |
18:00 | Welcome by Adriana Groh & Fiona Krakenbürger, Co-founders, Sovereign Tech Fund |
Introduction to Bug Resilience Program by Paul Sharratt, Policy & Research Manager, Sovereign Tech Fund | |
18:30 | Importance of Public Support for FOSS by Sabine Grützmacher, Member of the German Bundestag, Bündnis 90/Die Grünen |
18:45 | “Bug Bounties and FOSS: Opportunities, Risks, and a Path Forward” Presentation by Dr. Ryan Ellis, Associate Professor, Northeastern University |
19:00 | Short Introduction by Artists, Sasha Dorofeev, Jona Wolf, and bleeptrack. Networking Break |
19:45 | Panel: Public Sector’s Role in Public Bug Bounty Programs
Moderated by Tara Tarakiyee, Technologist, Sovereign Tech Fund |
20:30 | Closing Remarks by Adriana Groh & Fiona Krakenbürger |
Networking |
The Bug Resilience Program (BRP) was founded in 2023 by STF to complement its mission to supports the development, improvement, and maintenance of open digital infrastructure. It provides assistance to critical open source infrastructure projects through code audits, direct contributions, and bug bounty programs in order to help them deal with the challenges posed by software vulnerabilities and their management.
Please note that for promotional and archival purposes, this event area will documented by photography, audio, and video recording. We will ask for your permission at the event check-in. You can choose not to be recorded or photographed.