Oh yeah, this quietly happened the other day:

Oh yeah, this quietly happened the other day:
https://hollo.social/@hollo/01973e37-2969-754a-b8c6-4cf20531bad5

@julian eh? I mean, sure, or just detect whether the request is a GET / HEAD / OPTIONS request, and then don't send the content-type header? (since those methods don't support request bodies iirc)

@julian which actually makes sense, because with a GET request, you're not sending any request content, and Content-Type applies to the request body, not to the content type you want back.

@julian oh! it's because you're sending the Content-Type header, send Accept instead.

@julian try sending `Accept: application/jrd+json`

Since that's the content-type for webfinger, not application/json. In fedify, the fetch call is also with redirect manual, such that max redirection logic and SSRF checks can be done.

@julian fedify manages it, so many take a look at their webfinger implementation?

@esk @julian do you wanna adjust? because we can ^_^

@julian we'll see how the fund goes, but we can always change the terms as necessary to get the right output, that's why this is an experiment.

@julian yes, that's exactly what needs to happen. Like, it's CVE + the fix merged into the project. And we'll actually verify that before paying out. Definitely don't want those low quality reports for stuff that isn't actually a CVE

@julian so the reports don't come from Nivenly, the reports come from researchers and contributors and go directly to you. Once you accept & fix, and publish the advisory, the researcher/contributor can come to us and we'll pay them for their responsible disclosure.

They could also still collect from your bounty program as well, so rather than them getting just $256 or $512 from your program, they could get $506 or $1012 in total, because they can claim both bounties (if your program allows it)

(I mean, it's better than Fediverse Security Bounty — FSB )

@julian you're still receiving the vulnerability reports directly with the Fediverse Security Fund; we pay *after* you've confirmed & patched.

I wasn't aware of your bug bounty program, but could list that alongside your project.

@miah @nivenly thank you!

@quillmatiq @nivenly it's something I'm really proud of, and hopefully it can help do some good.

aaand aaah, TechCrunch have covered the announcement! Thanks @Sarahp!

A new security fund opens up to help protect the fediverse | TechCrunch

A new security fund aims to help apps in the fediverse — like Mastodon, Threads, and Pixelfed — to pay researchers for disclosing security bugs.

TechCrunch (techcrunch.com)

@Sbectol oh, good catch! My brains' off in the clouds today, I swear

We also know that GitHub Sponsors isn't super ideal for payments, but it's a way for us to test the program and ensure compliance with KYC/AML and various other legal requirements.

Hopefully in the future we'll be able to offer more ways to pay the bounties out, if the program continues.

One of the interesting clauses on the program is that we expect researchers and contributors to follow the Nivenly Covenant when reporting security vulnerabilities to be eligible for the program.

We want to encourage positive contributions, after we've seen several announcements of security vulnerabilities where the reporter treated the project with disregard or insulted the team behind it. That isn't cool.

We can together all make a safer fediverse.

@janl told y'all I was announcing something this week that I'm incredibly proud of!

This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

#fediverse #security #nivenly #FediverseSecurityFund

RE: https://hachyderm.io/@nivenly/114268491892140498