The EU has announced [1] the bug bounty program for Apache Tomcat and it
has been picked up by several media outlets [2],[3].

If you haven't already read it, I highly recommend reading the ASF's
take on FOSSA 1 [4].

There have been some private discussions between the Tomcat PMC and
intigriti (the company that will run the Tomcat bug bounty program for
the EU). Now that this has been announced, my expectation is that
further discussions will be on the dev@ list.

The short version of the discussions so far is:
- intigriti will perform triage and only pass validate issues to the
  Tomcat security team
- intigriti will use our standard vulnerability reporting process with
  the only difference being that intigriti report the issue rather than
  the OP and intigriti handle the communication with the OP
- only issues given a CVE will be eligible for a bounty
- the Tomcat security team determines if a CVE is required
- Vulnerabilities in Tomcat 9.0.x, 8.5.x, 7.0.x, Connectors 1.2.x and
  Native 1.2.x will be eligible
- Foundation wide resources used by the project (Bugzilla, svn, etc.)
  and external services (, github, etc.) are all out of

I don't see anything on intigriti's site for this yet. I imagine that
now the EU has announced this, that will appear fairly soon.






To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to