This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.
-
aaand aaah, TechCrunch have covered the announcement! Thanks @Sarahp!
A new security fund opens up to help protect the fediverse | TechCrunch
A new security fund aims to help apps in the fediverse — like Mastodon, Threads, and Pixelfed — to pay researchers for disclosing security bugs.
TechCrunch (techcrunch.com)
-
@thisismissem @nivenly this is such a cool and needed project!
-
@thisismissem @nivenly This is awesome - congrats and so excited that you're a part of this!
-
@quillmatiq @nivenly it's something I'm really proud of, and hopefully it can help do some good.
-
A great project! Thanks @Sarahp for covering it!
-
@thisismissem @nivenly This is amazing. Congratulations, and good work!
-
-
@thisismissem @Sarahp This is awesome!
-
@thisismissem@hachyderm.io what would buy-in from fediverse software look like?
NodeBB has its own bug bounty program that awards reporters directly, but if the FSF were to shoulder the grunt work of reporting (and act as a liaison between us and the reporter), we'd be happy to discuss covering the reward and associated costs, for reports that come from Nivenly directly.
-
J julian@community.nodebb.org shared this topic on
-
@julian you're still receiving the vulnerability reports directly with the Fediverse Security Fund; we pay *after* you've confirmed & patched.
I wasn't aware of your bug bounty program, but could list that alongside your project.
-
@thisismissem@hachyderm.io great. I'm thinking that for reports coming from Fediverse Security Fund directly, we'd cover the reward portion (the High (7.0 - 8.9) – $250 USD, Critical (9.0+) – $500 USD) part, either directly to the reporter or more likely through an in-kind donation back to the fund.
Also the fund may need a better acronym... FSF
