This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.
-
This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.
You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.
I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)
-
@thisismissem oh hell yea
@janl told y'all I was announcing something this week that I'm incredibly proud of!
-
This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.
You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.
I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)
One of the interesting clauses on the program is that we expect researchers and contributors to follow the Nivenly Covenant when reporting security vulnerabilities to be eligible for the program.
We want to encourage positive contributions, after we've seen several announcements of security vulnerabilities where the reporter treated the project with disregard or insulted the team behind it. That isn't cool.
We can together all make a safer fediverse.
-
One of the interesting clauses on the program is that we expect researchers and contributors to follow the Nivenly Covenant when reporting security vulnerabilities to be eligible for the program.
We want to encourage positive contributions, after we've seen several announcements of security vulnerabilities where the reporter treated the project with disregard or insulted the team behind it. That isn't cool.
We can together all make a safer fediverse.
We also know that GitHub Sponsors isn't super ideal for payments, but it's a way for us to test the program and ensure compliance with KYC/AML and various other legal requirements.
Hopefully in the future we'll be able to offer more ways to pay the bounties out, if the program continues.
-
This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.
You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.
I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)
@thisismissem Thanks for your advocacy work on this!
-
This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.
You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.
I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)
-
@thisismissem hi sorry if this isn't wanted but you've a typo in the first post "after we noticed that security vulnerabilities weren't being responsibly.." think maybe you forgot to write a word?
Keep up the good work
@Sbectol oh, good catch! My brains' off in the clouds today, I swear
-
We also know that GitHub Sponsors isn't super ideal for payments, but it's a way for us to test the program and ensure compliance with KYC/AML and various other legal requirements.
Hopefully in the future we'll be able to offer more ways to pay the bounties out, if the program continues.
aaand aaah, TechCrunch have covered the announcement! Thanks @Sarahp!
A new security fund opens up to help protect the fediverse | TechCrunch
A new security fund aims to help apps in the fediverse — like Mastodon, Threads, and Pixelfed — to pay researchers for disclosing security bugs.
TechCrunch (techcrunch.com)
-
This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.
You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.
I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)
@thisismissem @nivenly this is such a cool and needed project!
-
This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.
You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.
I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)
@thisismissem @nivenly This is awesome - congrats and so excited that you're a part of this!
-
@thisismissem @nivenly This is awesome - congrats and so excited that you're a part of this!
@quillmatiq @nivenly it's something I'm really proud of, and hopefully it can help do some good.
-
aaand aaah, TechCrunch have covered the announcement! Thanks @Sarahp!
A new security fund opens up to help protect the fediverse | TechCrunch
A new security fund aims to help apps in the fediverse — like Mastodon, Threads, and Pixelfed — to pay researchers for disclosing security bugs.
TechCrunch (techcrunch.com)
A great project! Thanks @Sarahp for covering it!
-
This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.
You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.
I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)
-
@thisismissem @nivenly This is amazing. Congratulations, and good work!
-
aaand aaah, TechCrunch have covered the announcement! Thanks @Sarahp!
A new security fund opens up to help protect the fediverse | TechCrunch
A new security fund aims to help apps in the fediverse — like Mastodon, Threads, and Pixelfed — to pay researchers for disclosing security bugs.
TechCrunch (techcrunch.com)
@thisismissem @Sarahp This is awesome!
-
This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.
You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.
I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)
@thisismissem@hachyderm.io what would buy-in from fediverse software look like?
NodeBB has its own bug bounty program that awards reporters directly, but if the FSF were to shoulder the grunt work of reporting (and act as a liaison between us and the reporter), we'd be happy to discuss covering the reward and associated costs, for reports that come from Nivenly directly.
-
J julian@community.nodebb.org shared this topic on
-
@julian you're still receiving the vulnerability reports directly with the Fediverse Security Fund; we pay *after* you've confirmed & patched.
I wasn't aware of your bug bounty program, but could list that alongside your project.
-
System shared this topic on
-
@julian you're still receiving the vulnerability reports directly with the Fediverse Security Fund; we pay *after* you've confirmed & patched.
I wasn't aware of your bug bounty program, but could list that alongside your project.
@thisismissem@hachyderm.io great. I'm thinking that for reports coming from Fediverse Security Fund directly, we'd cover the reward portion (the High (7.0 - 8.9) – $250 USD, Critical (9.0+) – $500 USD) part, either directly to the reporter or more likely through an in-kind donation back to the fund.
Also the fund may need a better acronym... FSF
-
@julian so the reports don't come from Nivenly, the reports come from researchers and contributors and go directly to you. Once you accept & fix, and publish the advisory, the researcher/contributor can come to us and we'll pay them for their responsible disclosure.
They could also still collect from your bounty program as well, so rather than them getting just $256 or $512 from your program, they could get $506 or $1012 in total, because they can claim both bounties (if your program allows it)
(I mean, it's better than Fediverse Security Bounty — FSB
) -
@julian so the reports don't come from Nivenly, the reports come from researchers and contributors and go directly to you. Once you accept & fix, and publish the advisory, the researcher/contributor can come to us and we'll pay them for their responsible disclosure.
They could also still collect from your bounty program as well, so rather than them getting just $256 or $512 from your program, they could get $506 or $1012 in total, because they can claim both bounties (if your program allows it)
(I mean, it's better than Fediverse Security Bounty — FSB
)@thisismissem@hachyderm.io ah understood. I didn't quite get how the fund worked, but it makes more sense now (and is much simpler—organizationally—for Nivenly!)
I don't think we'll add exclusions for security fund recipients
I would say, though, that one of the requirements has to be that the affected software accepts the vulnerability. Plenty of self-proclaimed "security researchers" have filed reports, and some go as far as to publish CVEs (against our own software!) without our permission.
Quite the opposite of responsible disclosure.
