Videos, Highlights, and Insights from the 2024 Bug Bounties and FOSS Event

The Sovereign Tech Resilience program takes a preventative approach to safeguarding critical open digital infrastructure by partnering with industry to offer vulnerability management services for open source projects and their maintainers. The goal is to lower their risk of harboring vulnerabilities and improve their capacity to respond to vulnerabilities as they are discovered. The program provides services to open digital infrastructure projects, such as helping projects reduce technical debt, working on known security issues, performing code security audits to reduce high-risk vulnerabilities, as well as offering a bug & fix bounty platform to discover, responsibly report, and fix vulnerabilities.

Free and open source software (FOSS) is the foundation of modern digital infrastructure, yet many projects rely on small, under-resourced teams, leaving them vulnerable to security risks. Public investment and structured programs like Sovereign Tech Resilience are crucial to address these challenges and strengthen digital resilience.

The first keynote speaker, Maik Außendorf, MdB, Bündnis 90/Die Grünen, a Linux user since 1994 and former consultant for Linux-based open source solutions, highlighted these points in his speech. He strongly advocates for digital sovereignty and resilience, on both the hardware and software sides. In his talk, he emphasized the importance of public flagship organizations that actively support open source projects, instill confidence in using open source solutions, and secure sustainable funding for such initiatives.

Maik Außendorf also expressed hope that the Sovereign Tech Agency can set an example on an international level, demonstrating how public investment and leadership can foster a more resilient and sovereign digital ecosystem.

Bug bounty programs have long been used by industry to help incentivize reporting of dangerous vulnerabilities in software, but how effective are they in making our open source critical infrastructure safer? This is the question the Sovereign Tech Resilience program commissioned Northeastern University's Dr. Ryan Ellis to answer in his research, which he presented during the event’s second keynote.

The research revealed that while bug bounty programs can enhance the security of free and open source software projects, they can also yield mixed results if the underlying software was already under-mantained. The research report validated some of the design decisions the Sovereign Tech Agency made when implementing the Sovereign Tech Resilience program, such as investing in preventative maintenance, and compensating maintainers for their time. This can help counteract the trend towards declining contributions observed in a range of open source projects. The report also discussed some of the other advantages of bug bounty programs, such as their utility in managing attention on projects, and how they speed up identification of vulnerabilities.

Watch the video of his presentation below.

Read the report in English

Read the report in German

We’re excited to share the highlights from our Sovereign Tech Resilience event! Videos of the keynote speeches, panel discussions, and other key moments are now available. Dive into the insights shared by our experts and guest speakers to learn more about the challenges and opportunities in bug bounties and FOSS.

Keynotes and Guest Speakers

Panel discussion “Public Sector’s Role in Public Bug Bounty Programs”

At the event, a panel discussion on the “Public Sector’s Role in Public Bug Bounty Programs” delved into the risks and opportunities of publicly funded security measures for open source projects, drawing on the key findings from Dr. Ellis’s report. Joining Dr. Ellis on the panel were Amir Montazery from OSTIF, Yona Raekow from BSI, and Dr. Aïmad Berady from YesWeHack. The panel offered attendees a chance to hear reflections on the report findings from expert perspectives. The round was moderated by Tara Tarakiyee, technologist at Sovereign Tech Agency.

We're looking for an experienced and innovative expert in open source security to manage, scale and lead the Sovereign Tech Resilience program.

Launched by the Sovereign Tech Agency in 2023, Sovereign Tech Resilience improves the security posture of critical open source projects by addressing technical debt, commissioning security audits, and fostering a culture of resilience through a bug-and-fix bounty system. This program serves the public interest and societal resilience by enhancing the reliability and security of critical open source software that underpins modern digital infrastructure. Sovereign Tech Resilience actively invests in and collaborates with the open source communities.

As the Cybersecurity Program Lead, you will oversee the program’s daily operations, enhance its impact, and build connections with global open source communities and security researchers.

Job Opening: Cybersecurity Program Lead