This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.
-
@julian so the reports don't come from Nivenly, the reports come from researchers and contributors and go directly to you. Once you accept & fix, and publish the advisory, the researcher/contributor can come to us and we'll pay them for their responsible disclosure.
They could also still collect from your bounty program as well, so rather than them getting just $256 or $512 from your program, they could get $506 or $1012 in total, because they can claim both bounties (if your program allows it)
(I mean, it's better than Fediverse Security Bounty — FSB
)@thisismissem@hachyderm.io ah understood. I didn't quite get how the fund worked, but it makes more sense now (and is much simpler—organizationally—for Nivenly!)
I don't think we'll add exclusions for security fund recipients
I would say, though, that one of the requirements has to be that the affected software accepts the vulnerability. Plenty of self-proclaimed "security researchers" have filed reports, and some go as far as to publish CVEs (against our own software!) without our permission.
Quite the opposite of responsible disclosure.
-
@julian yes, that's exactly what needs to happen. Like, it's CVE + the fix merged into the project. And we'll actually verify that before paying out. Definitely don't want those low quality reports for stuff that isn't actually a CVE
-
@julian yes, that's exactly what needs to happen. Like, it's CVE + the fix merged into the project. And we'll actually verify that before paying out. Definitely don't want those low quality reports for stuff that isn't actually a CVE
@julian we'll see how the fund goes, but we can always change the terms as necessary to get the right output, that's why this is an experiment.
-
@julian so the reports don't come from Nivenly, the reports come from researchers and contributors and go directly to you. Once you accept & fix, and publish the advisory, the researcher/contributor can come to us and we'll pay them for their responsible disclosure.
They could also still collect from your bounty program as well, so rather than them getting just $256 or $512 from your program, they could get $506 or $1012 in total, because they can claim both bounties (if your program allows it)
(I mean, it's better than Fediverse Security Bounty — FSB
)i feel like we missed an opportunity here @thisismissem by not choosing powers of two
love it @julian
-
i feel like we missed an opportunity here @thisismissem by not choosing powers of two
love it @julian
-
aaand aaah, TechCrunch have covered the announcement! Thanks @Sarahp!
A new security fund opens up to help protect the fediverse | TechCrunch
A new security fund aims to help apps in the fediverse — like Mastodon, Threads, and Pixelfed — to pay researchers for disclosing security bugs.
TechCrunch (techcrunch.com)
@thisismissem damn @Sarahp killing it with the fediverse coverage lately!
