The European Commission is beginning the new year with a major commitment to fight fraud – and is turning to the world of white hat hackers to help them do it. The EC announced this week that it has allocated up to  €850,000 ($966,000) for bug bounties: cash awards to programmers, developers, and others who are able to identify security vulnerabilities in 14 open source projects.

The EC’s bug bounty program will run in part via the platform provided by FinDEVr alum and ethical hacker HackerOne. The programs will cover open source software common in European infrastructure including streaming software Apache Kafka, content management framework Drupal, and a free SSH and telnet client for Windows called PuTTY. In addition to HackerOne, ethical hacking and bug bounty platform, Intigriti, will also be used for some projects.

Above: HackerOne co-founder Michiel Prins during his presentation on ethical hacking and bug bounties at FinDEVr London 2017.

The funds for the bug bounty program come from the EU Free and Open Source Software Audit (FOSSA) project run by the EC’s Directorate of General of Informatics (DIGIT). The initiative was launched in 2014 by German politician, EU parliamentarian, and Pirate Party member, Julia Reda, after security vulnerabilities were found in key open source software projects including the Open Source encryption library, OpenSSL.

“The Internet is built on Free and Open Source Software,” said Reda (pictured). “It is part of our every day lives. Therefore the European Commission and public administrations in general have a responsibility to ensure its stability, reliability and security – by investing in it.”

The EU bug bounty programs for HackerOne begin next week and run through mid-August for projects involving Filezilla, Apache Kafka, Notepad++, midPoint, and VLC Media Player, and until mid-December for PuTTY.

HackerOne participated in our developers conference, FinDEVr London 2017. Co-founder Michiel Prins presented Tapping Hackers to Improve Security, which introduced the concept of ethical “white hat” hackers and bug bounty programs as a way for institutions to uncover security vulnerabilities in their networks and systems.

Last fall the company announced that it secured a million dollar bug bounty contract with the Technology Transformation Service (TTS) of the U.S. General Services Administration. Over the summer, HackerOne worked with the U.S. Department of Defense, as part of its Hack the Marine Corps initiative to improve the cybersecurity on the public-facing websites on the Marine Corps Enterprise Network (MCEN).

Founded in 2012 and headquartered in San Francisco, California, HackerOne has raised $74 million in funding. The company includes New Enterprise Associates, Benchmark, and Dragoneer Investment Group among its investors.

The white hat hackers of HackerOne have won a $2 million bug bounty contract with the Technology Transformation Service (TTS) of the U.S. General Services Administration.

The firm, which employs ethical hackers to find security vulnerabilities in client websites before the bad guys do, has worked with the TTS for a little over a year now. The new contract extends the partnership, providing a base performance period of six months, with an additional nine option periods lasting six months each for a total of five years.

Marten Mickos, CEO of HackerOne, called the contract “a reminder of the leadership role that the U.S. federal government has taken in vulnerability disclosure.” The GSA in particular has shown a strong interest in using bug bounties – i.e., cash prizes to hackers who discover and report vulnerabilities – and is the first civilian agency to leverage these programs to improve its website security.

“Over the last year, GSA has proved to be one of the fastest government agencies in regards to resolution time,” Mickos said, “resolving vulnerabilities markedly faster than the global average for government bug bounty programs.”

The contract with the GSA comes just over a month after the company announced inking a deal with the U.S. Department of Defense to unleash its squad of white hat hackers on the public-facing websites of the Marine Corps Enterprise Network (MCEN). The Hack the Marine Corps bug bounty challenge in August was the latest iteration of the San Francisco, California-based company’s work with the DoD, having also launched similar campaigns with the Army, the Air Force, and the Defense Travel System over the past two years.

Founded in 2012, HackerOne presented Tapping Hackers to Improve Security at our developers conference, FinDEVr London, last summer. The presentation discussed how external, white hat hackers can help companies uncover cybersecurity flaws, and how they can move toward more comprehensive vulnerability disclosure programs.

Since inception, HackerOne has helped 1,000+ companies and organizations find and fix more than 76,000 cybersecurity vulnerabilities, earning white hat hackers $32 million in bug bounties.

Who defends the defenders? When it comes to the U.S. Marine Corps and the challenge of cybersecurity, the U.S. Department of Defense goes with the white hackers of HackerOne.

“Success in cybersecurity is about harnessing human ingenuity,” HackerOne CEO Marten Mickos explained. “There is no tool, scanner, or software that detects critical security vulnerabilities faster or more completely than hackers. The Marine Corps, one of the most secure organizations in the world, is the latest government agency to benefit from diverse hacker perspectives to protect Americans on and off the battlefield.”

For its sixth bug bounty program, Hack the Marine Corps, the Defense Department has again enlisted hacker-powered cybersecurity firm, HackerOne, to improve security on the public-facing websites of the Marine Corps Enterprise Network (MCEN). The program began with a live hacking event in Las Vegas, Nevada on Sunday. This kickoff event featured nearly 100 white hat hackers who spent nine hours testing and probing the Marine Corps’ public-facing websites for security vulnerabilities. The hackers filed 75 unique valid security vulnerability reports that day, winning more than $80,000 in prize money for their efforts. The bug bounty program continues until August 26th.

HackerOne co-founder Michiel Prins during his presentation “Tapping Hackers to Improve Security” at FinDEVr London 2017.

Hack the Marine Corps is part of the Hack the Pentagon crowdsourced cybersecurity program initially launched by the Department of Defense’s Defense Digital Service (DDS) and HackerOne in 2016. The Marine Corps commitment to improving cybersecurity has grown since then to include the creation of a cyberspace career track for service members. In fact, during the Vegas event, members of the U.S. Marine Corps Cyberspace Command (MARFORCYBER) worked alongside the invited security professionals on both offensive and defensive cyber teams.

“Information security is a challenge unlike any other for our military,” DDS Director Chris Lynch said. “Our adversaries are working to exploit networks and cripple our operations without ever firing a weapon. Sometimes, the best line of defense is a skilled hacker working together with our men and women in uniform to better secure our systems.” More than 5,000 vulnerabilities have been reported in government systems since Hack the Pentagon was launched.

In addition to Hack the Pentagon and Hack the Marine Corps, bug bounty challenges have also been launched with the Army (December 2016), the Air Force (April 2017), and, this spring, the Defense Travel System.

Founded in 2012, San Francisco, California-based HackerOne participated in our developers conference, FinDEVr London, last summer. The company’s presentation, Tapping Hackers to Improve Security, underscored the role and value of bug bounty programs as part of a comprehensive strategy to develop an effective cybervulnerability disclosure program.

More than 1,000 organizations including Google, Nintendo, Lufthansa, and Starbucks have leveraged HackerOne’s white hat hackers to find and fix vulnerabilities before they are discovered by cybercriminals. HackerOne has helped companies resolve more than 76,000 vulnerabilities, resulting in the awarding of more than $32 million in bug bounties to ethical hackers.