Hacking for €10k rewards and a secure open source ecosystem: Bug Bounty opportunities from the Sovereign Tech Fund

September 4, 2024

Generous bounties, technically stimulating scopes and the feel-good factor of helping to secure critical infrastructure that underpins a free and open internet – sound appealing, bug hunters?

You can enjoy these benefits by hunting on the seven (so far) public Bug Bounty Programs operated by the Sovereign Tech Fund (STF), which invests in open digital infrastructure to ensure a resilient and sustainable open source ecosystem.

Your hacking skills, together with support from the STF, are particularly invaluable to these volunteer-run open source projects, given their vital role infrastructurally or for critical dependencies. Just consider the downstream impact of the Log4Shell zero day to see the importance of effective vulnerability management in this realm.

The location of Log4Shell, the Log4j Java logging framework, is now among the STF’s Bug Bounty Programs, alongside ntpd-rs, GNOME, systemd, OpenPGP.js, Sequoia PGP and CycloneDX Rust Cargo.

All seven programs are currently offering rewards up to €10,000 for critical vulnerabilities. High-severity flaws command bounties up to €5,000, while for medium severity it’s €3,000 and low-severity issues earn €500 rewards.

The generous bounties – among the highest on YesWeHack – reflect the unusual and challenging nature of many of the targets. Scroll down and check out these programs to see if the scopes align with your hacking expertise.

Tara Tarakiyee, a technologist at the STF, comments:

“Our societies increasingly rely on open source software as critical infrastructure, and it takes a lot of effort to keep that infrastructure safe. Which is why STF is committed to fostering the community of security researchers looking to use their skills to secure the open source ecosystem in the public interest through programs like the Bug Resilience Program.”

Open-source Bug Bounty Programs from the Sovereign Tech Fund

These seven public Bug Bounty Programs are currently active. With the Sovereign Tech Fund having numerous active investments – also including Drupal, PHP, Fortran, GNU libmicrohttpd and Python Package Index – and on the lookout for more, the organisation may well be a source of new hunting opportunities in the not-too-distant future.

Apache Log4j

The site of arguably the most significant vulnerability of all time – Log4Shell – owing to its severity and the ubiquity of this Java logging framework. Apache Log4j comprises an API, its implementation, and components to facilitate deployment for various use cases.

Qualifying vulnerabilities (at the time of writing): log injections, log event loss, memory safety, remote code execution, deadlocks, DoS.

Visit the Bug Bounty Program page for up-to-date scopes, qualifying/non-qualifying vulnerabilities and other rules.

ntpd-rs

Ntpd-rs is an open-source implementation of the Network Time Protocol written in Rust, with support for the Network Time Security protocol and a focus on exposing minimal attack surface.

Qualifying vulnerabilities (at the time of writing): Remote code execution; remote denial of service (excluding protocol limitations); privilege escalation; misuse of cryptographic primitives; and arbitrary clock modifications, using only NTS sources, controlling at most a minority of the NTS sources.

Visit the Bug Bounty Program page for up-to-date scopes, qualifying/non-qualifying vulnerabilities and other rules.

CycloneDX Rust Cargo

CycloneDX Rust Cargo is a project to read, write and generate CycloneDX SBOMs. It comprises cyclonedx-bom, a Rust library for reading and writing CycloneDX SBOMs from/to Rust structs, and cargo-cyclonedx, a Rust application that leverages cyclonedx-bom to generate CycloneDX SBOMs for Cargo-based Rust projects.

Qualifying vulnerabilities (at the time of writing): Remote code execution, remote denial of service, local and unprivileged denial of service, privilege escalation, memory safety issues, sandbox or security boundary bypass, arbitrary file read/write operations, code injection vulnerabilities, insecure deserialization, cryptographic implementation flaws, integrity check bypass, dependency resolution vulnerabilities, exposure of sensitive information in logs, compromise of signed SBOMs (e.g., signature verification failures), manipulation of SBOM content leading to incorrect or incomplete data, misconfiguration vulnerabilities, and insecure handling of command-line arguments and environment variables.

Visit the Bug Bounty Program page for up-to-date scopes, qualifying/non-qualifying vulnerabilities and other rules.

GNOME

Fully featured desktop environment and application platform for Linux. Used with the likes of Ubuntu, Fedora, RHEL and Tails and in security-critical contexts by activists, journalists, corporations and governments, among other users. The GNOME Bug Bounty Program began with two critical scopes, GLib and libsoup, but there is enormous scope for growth with the GNOME desktop consisting of hundreds of modules.

Qualifying vulnerabilities (at the time of writing): Memory safety issues, denial of service, undefined behavior leading to a security vulnerability, race conditions, missing validation of untrusted inputs, privilege escalation, cryptographic problems, exfiltration of confidential material, and supply chain issues.

Visit the Bug Bounty Program page for up-to-date scopes, qualifying/non-qualifying vulnerabilities and other rules.

systemd

A suite of basic building blocks for a Linux system. Among other features, systemd provides aggressive parallelisation capabilities, socket and D-Bus activation for starting services, on-demand starting of daemons, tracking of processes using Linux control groups, maintenance of mount and automount points, and implementation of transactional, dependency-based service control logic.

Qualifying vulnerabilities (at the time of writing): UEFI SecureBoot bypasses, remote code execution, remote denial of service, local and unprivileged denial of service, privilege escalation, sandboxing bypass, login prompt/password check bypass, disk encryption keys leaks, misuse of cryptographic primitives, leaking user logs to other unprivileged users, and signed dm-verity compromise.

Visit the Bug Bounty Program page for up-to-date scopes, qualifying/non-qualifying vulnerabilities and other rules.

OpenPGP.js

OpenPGP.js is a JavaScript library implementing the OpenPGP standard for message encryption and signing. OpenPGP is typically used for end-to-end encrypted email, signing of git commits and software releases, and encrypted file storage, among a variety of other applications.

Qualifying vulnerabilities (at the time of writing): Where OpenPGP.js: incorrectly encrypts a message, causing (part of) it to be decryptable by an attacker; uses an insecure algorithm (by default) to encrypt a message, causing (part of) it to be decryptable by an attacker; incorrectly decrypts or signs the message, causing (part of) the private key to be extractable by an attacker; returns unauthenticated data (by default), potentially causing EFAIL-style vulnerabilities; incorrectly verifies an invalid signature; fails to parse a compliant OpenPGP public key, possibly causing the application or user to send the message in cleartext instead.

Visit the Bug Bounty Program page for up-to-date scopes, qualifying/non-qualifying vulnerabilities and other rules.

Sequoia PGP

Sequoia PGP provides secure communication and authentication in the OpenPGP arena. “We are committed to protecting the privacy and security of our users with a particular emphasis on the most vulnerable people in our society: activists, journalists, lawyers and their clients,” reads the program introduction.

Qualifying vulnerabilities (at the time of writing): Memory safety issues, denial of service, undefined behaviour leading to a security vulnerability, injection attacks into human-readable and machine-readable output, authentication bypasses, creation of cryptographic artifacts using high-level interfaces that break or undermine the properties of cryptographic algorithms, invalid reasoning about OpenPGP certificates, exfiltration of confidential material, diversion of packet streams with respect to another major OpenPGP implementation, improper use of cryptographic primitives, and improper handling of secret key material.

Visit the Bug Bounty Program page for up-to-date scopes, qualifying/non-qualifying vulnerabilities and other rules.

About the Sovereign Tech Fund

The Sovereign Tech Fund invests in open digital infrastructure projects in order to strengthen open source security, resilience and technological diversity. Founded in 2022, the fund is financed – to the tune of €17 million for 2024 – by the German Federal Ministry for Economic Affairs and Climate Action.

The Sovereign Tech Fund launched the Bug Resilience Program in 2023 to help time-poor open source maintainers prevent and patch vulnerabilities through technical debt reduction, secure code audits and Bug Bounty Programs managed by YesWeHack. ‘Contribute Back’ challenges, meanwhile, saw an initial three successful applicants – developers, contributors or maintainers – given €300,000 to spend on creating or improving developer tooling, production security mechanisms and project documentation for their Free and Open Source Software (FOSS) components over a four- or eight-month period. The Sovereign Tech Fund is also piloting a fellowship scheme under which overworked and hitherto unpaid maintainers of critical open source components will be paid for their work.

These are important initiatives when you consider how, according to Synopsys research, 96% of codebases contain open source, applications have 526 open source components on average, and 84% of codebases contain at least one open source vulnerability.