This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

#fediverse #security #nivenly #FediverseSecurityFund

RE: https://hachyderm.io/@nivenly/114268491892140498

One of the interesting clauses on the program is that we expect researchers and contributors to follow the Nivenly Covenant when reporting security vulnerabilities to be eligible for the program.

We want to encourage positive contributions, after we've seen several announcements of security vulnerabilities where the reporter treated the project with disregard or insulted the team behind it. That isn't cool.

We can together all make a safer fediverse.

We also know that GitHub Sponsors isn't super ideal for payments, but it's a way for us to test the program and ensure compliance with KYC/AML and various other legal requirements.

Hopefully in the future we'll be able to offer more ways to pay the bounties out, if the program continues.

aaand aaah, TechCrunch have covered the announcement! Thanks @Sarahp!

https://techcrunch.com/2025/04/02/a-new-security-fund-opens-up-to-help-protect-the-fediverse/

A great project! Thanks @Sarahp for covering it!