New Security Fund for the Fediverse Launched

Enhanced Security Measures for the Fediverse

The fediverse, encompassing open social web platforms like Mastodon, Meta’s Threads, Pixelfed, and others, is undergoing significant security enhancements. The Nivenly Foundation, a nonprofit dedicated to governance in open source projects, announced on Wednesday the establishment of a new security fund.

This fund will financially reward individuals who responsibly report security flaws discovered within fediverse applications and services.

Addressing Vulnerabilities in Decentralized Networks

While all software is potentially susceptible to security concerns, Mastodon – a decentralized and open-source alternative to X – has addressed numerous bugs throughout its history. This history underscores the necessity for a dedicated vulnerability program.

A further challenge within the fediverse lies in the fact that many servers are managed by independent administrators who may lack specialized security expertise or awareness of optimal security protocols.

The Nivenly Foundation's Initiative

The Nivenly Foundation has already assisted several fediverse projects in establishing fundamental security vulnerability reporting procedures. Now, the organization aims to distribute monetary rewards to those who responsibly disclose previously unknown security vulnerabilities.

Payouts will be allocated at $250 for vulnerabilities assessed with a Common Vulnerability Scoring System (CVSS) score ranging from 7.0 to 8.9. More critical vulnerabilities, those with a CVSS score of 9.0 or higher, will receive $500.

Funding for these payouts originates from the foundation itself, which is financially supported by its membership base – comprising both individual contributors and trade organizations.

Vulnerability Validation Process

The validity of reported vulnerabilities is confirmed through acceptance by the respective fediverse project leaders and documented in public vulnerability disclosure databases, such as CVE databases.

The fund is currently operating in a limited trial phase, initiated following the identification of a security vulnerability within Pixelfed, a decentralized Instagram alternative.

Open-source developer Emelia Smith discovered the issue and was compensated by the Nivenly Foundation for its resolution, as she explains.

Importance of Responsible Disclosure

A recent incident involved Pixelfed’s creator, Daniel Supernault, who publicly revealed vulnerability details before server operators had the opportunity to implement updates. This action potentially exposed the fediverse to malicious actors, as Smith points out. (Supernault has since issued a public apology for his handling of the issue, which impacted private accounts.)

“A key component of this program is educating project leaders about the importance of responsible disclosure practices for security vulnerabilities,” Smith stated to TechCrunch.

“We encountered projects that directed users to report security issues in their public issue trackers, a practice that is inherently unsafe, as any attacker monitoring the repository could exploit the software,” she added.

Best Practices for Vulnerability Disclosure

The standard approach involves disclosing minimal vulnerability information, allowing server operators sufficient time to apply necessary upgrades, Smith explained. However, this necessitates that project leaders possess a strong understanding of security best practices.

For example, in response to the Pixelfed vulnerability, the Hachyderm Mastodon server, with over 9,500 members, chose to defederate – or disconnect – from Pixelfed servers that hadn’t been updated, to safeguard its user base.

By implementing this new program, which prioritizes best practices in vulnerability disclosure, the need for such protective defederation measures may be reduced.