Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
hachyderm.io is one of the many independent Mastodon servers you can use to participate in the fediverse.
Hachyderm is a safe space, LGBTQIA+ and BLM, primarily comprised of tech industry professionals world wide. Note that many non-user account types have restrictions - please see our About page.

Administered by:

Server stats:

9.4K
active users

hachyderm.io: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

Public *
Emelia 👸🏻

This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

RE: hachyderm.io/@nivenly/11426849

Public *
julian

@thisismissem@hachyderm.io what would buy-in from fediverse software look like?

NodeBB has its own bug bounty program that awards reporters directly, but if the FSF were to shoulder the grunt work of reporting (and act as a liaison between us and the reporter), we'd be happy to discuss covering the reward and associated costs, for reports that come from Nivenly directly.

I know the program is meant to benefit all fedi software and there's (I think?) no expectation of compensation from the software owners themselves, but in this case NodeBB would be happy to cover at least the reward portion for any vulnerabilities disclosed. We're not raking in huge amounts of money ourselves, but our bounty program is one of the last things we will cut.

Public
Emelia 👸🏻

@julian you're still receiving the vulnerability reports directly with the Fediverse Security Fund; we pay *after* you've confirmed & patched.

I wasn't aware of your bug bounty program, but could list that alongside your project.

Public *
julian

@thisismissem@hachyderm.io great. I'm thinking that for reports coming from Fediverse Security Fund directly, we'd cover the reward portion (the High (7.0 - 8.9) – $250 USD, Critical (9.0+) – $500 USD) part, either directly to the reporter or more likely through an in-kind donation back to the fund.

This would be instead of the existing NodeBB bounty program rewards.

Also the fund may need a better acronym... FSF :sweat_smile:

Public
Emelia 👸🏻

@julian so the reports don't come from Nivenly, the reports come from researchers and contributors and go directly to you. Once you accept & fix, and publish the advisory, the researcher/contributor can come to us and we'll pay them for their responsible disclosure.

They could also still collect from your bounty program as well, so rather than them getting just $256 or $512 from your program, they could get $506 or $1012 in total, because they can claim both bounties (if your program allows it)

(I mean, it's better than Fediverse Security Bounty — FSB 😂)

Public
Esk 🐌⚡💜

i feel like we missed an opportunity here @thisismissem by not choosing powers of two :blobfoxlaugh:

love it @julian

ExploreLive feeds
About