Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • World
  • Users
  • Groups
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

agnos.is Forums

  1. Home
  2. Fediverse
  3. This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

Scheduled Pinned Locked Moved Fediverse
fediversesecuritynivenlyfediversesecuri
26 Posts 12 Posters 159 Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • thisismissem@hachyderm.ioT This user is from outside of this forum
    thisismissem@hachyderm.ioT This user is from outside of this forum
    [email protected]
    wrote on last edited by
    #1

    This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

    You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

    I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

    #fediverse #security #nivenly #FediverseSecurityFund

    RE: https://hachyderm.io/@nivenly/114268491892140498

    ? thisismissem@hachyderm.ioT box464@mastodon.socialB ? ? 8 Replies Last reply
    0
    • thisismissem@hachyderm.ioT [email protected]

      This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

      You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

      I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

      #fediverse #security #nivenly #FediverseSecurityFund

      RE: https://hachyderm.io/@nivenly/114268491892140498

      ? Offline
      ? Offline
      Guest
      wrote on last edited by
      #2

      @thisismissem oh hell yea

      thisismissem@hachyderm.ioT 1 Reply Last reply
      0
      • ? Guest

        @thisismissem oh hell yea

        thisismissem@hachyderm.ioT This user is from outside of this forum
        thisismissem@hachyderm.ioT This user is from outside of this forum
        [email protected]
        wrote on last edited by
        #3

        @janl told y'all I was announcing something this week that I'm incredibly proud of!

        1 Reply Last reply
        0
        • thisismissem@hachyderm.ioT [email protected]

          This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

          You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

          I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

          #fediverse #security #nivenly #FediverseSecurityFund

          RE: https://hachyderm.io/@nivenly/114268491892140498

          thisismissem@hachyderm.ioT This user is from outside of this forum
          thisismissem@hachyderm.ioT This user is from outside of this forum
          [email protected]
          wrote on last edited by
          #4

          One of the interesting clauses on the program is that we expect researchers and contributors to follow the Nivenly Covenant when reporting security vulnerabilities to be eligible for the program.

          We want to encourage positive contributions, after we've seen several announcements of security vulnerabilities where the reporter treated the project with disregard or insulted the team behind it. That isn't cool.

          We can together all make a safer fediverse.

          thisismissem@hachyderm.ioT 1 Reply Last reply
          0
          • thisismissem@hachyderm.ioT [email protected]

            One of the interesting clauses on the program is that we expect researchers and contributors to follow the Nivenly Covenant when reporting security vulnerabilities to be eligible for the program.

            We want to encourage positive contributions, after we've seen several announcements of security vulnerabilities where the reporter treated the project with disregard or insulted the team behind it. That isn't cool.

            We can together all make a safer fediverse.

            thisismissem@hachyderm.ioT This user is from outside of this forum
            thisismissem@hachyderm.ioT This user is from outside of this forum
            [email protected]
            wrote on last edited by
            #5

            We also know that GitHub Sponsors isn't super ideal for payments, but it's a way for us to test the program and ensure compliance with KYC/AML and various other legal requirements.

            Hopefully in the future we'll be able to offer more ways to pay the bounties out, if the program continues.

            thisismissem@hachyderm.ioT 1 Reply Last reply
            0
            • thisismissem@hachyderm.ioT [email protected]

              This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

              You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

              I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

              #fediverse #security #nivenly #FediverseSecurityFund

              RE: https://hachyderm.io/@nivenly/114268491892140498

              box464@mastodon.socialB This user is from outside of this forum
              box464@mastodon.socialB This user is from outside of this forum
              [email protected]
              wrote on last edited by
              #6

              @thisismissem Thanks for your advocacy work on this!

              1 Reply Last reply
              0
              • thisismissem@hachyderm.ioT [email protected]

                This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

                You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

                I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

                #fediverse #security #nivenly #FediverseSecurityFund

                RE: https://hachyderm.io/@nivenly/114268491892140498

                ? Offline
                ? Offline
                Guest
                wrote on last edited by
                #7

                @thisismissem hi sorry if this isn't wanted but you've a typo in the first post "after we noticed that security vulnerabilities weren't being responsibly.." think maybe you forgot to write a word?

                Keep up the good work

                thisismissem@hachyderm.ioT 1 Reply Last reply
                0
                • ? Guest

                  @thisismissem hi sorry if this isn't wanted but you've a typo in the first post "after we noticed that security vulnerabilities weren't being responsibly.." think maybe you forgot to write a word?

                  Keep up the good work

                  thisismissem@hachyderm.ioT This user is from outside of this forum
                  thisismissem@hachyderm.ioT This user is from outside of this forum
                  [email protected]
                  wrote on last edited by
                  #8

                  @Sbectol oh, good catch! My brains' off in the clouds today, I swear πŸ˜…

                  1 Reply Last reply
                  0
                  • thisismissem@hachyderm.ioT [email protected]

                    We also know that GitHub Sponsors isn't super ideal for payments, but it's a way for us to test the program and ensure compliance with KYC/AML and various other legal requirements.

                    Hopefully in the future we'll be able to offer more ways to pay the bounties out, if the program continues.

                    thisismissem@hachyderm.ioT This user is from outside of this forum
                    thisismissem@hachyderm.ioT This user is from outside of this forum
                    [email protected]
                    wrote on last edited by
                    #9

                    aaand aaah, TechCrunch have covered the announcement! Thanks @Sarahp!

                    https://techcrunch.com/2025/04/02/a-new-security-fund-opens-up-to-help-protect-the-fediverse/

                    ? ? liaizon@social.wake.stL 3 Replies Last reply
                    0
                    • thisismissem@hachyderm.ioT [email protected]

                      This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

                      You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

                      I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

                      #fediverse #security #nivenly #FediverseSecurityFund

                      RE: https://hachyderm.io/@nivenly/114268491892140498

                      ? Offline
                      ? Offline
                      Guest
                      wrote on last edited by
                      #10

                      @thisismissem @nivenly this is such a cool and needed project!

                      1 Reply Last reply
                      0
                      • thisismissem@hachyderm.ioT [email protected]

                        This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

                        You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

                        I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

                        #fediverse #security #nivenly #FediverseSecurityFund

                        RE: https://hachyderm.io/@nivenly/114268491892140498

                        ? Offline
                        ? Offline
                        Guest
                        wrote on last edited by
                        #11

                        @thisismissem @nivenly This is awesome - congrats and so excited that you're a part of this!

                        thisismissem@hachyderm.ioT 1 Reply Last reply
                        0
                        • ? Guest

                          @thisismissem @nivenly This is awesome - congrats and so excited that you're a part of this!

                          thisismissem@hachyderm.ioT This user is from outside of this forum
                          thisismissem@hachyderm.ioT This user is from outside of this forum
                          [email protected]
                          wrote on last edited by
                          #12

                          @quillmatiq @nivenly it's something I'm really proud of, and hopefully it can help do some good.

                          1 Reply Last reply
                          0
                          • thisismissem@hachyderm.ioT [email protected]

                            aaand aaah, TechCrunch have covered the announcement! Thanks @Sarahp!

                            https://techcrunch.com/2025/04/02/a-new-security-fund-opens-up-to-help-protect-the-fediverse/

                            ? Offline
                            ? Offline
                            Guest
                            wrote on last edited by
                            #13

                            A great project! Thanks @Sarahp for covering it!

                            1 Reply Last reply
                            0
                            • thisismissem@hachyderm.ioT [email protected]

                              This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

                              You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

                              I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

                              #fediverse #security #nivenly #FediverseSecurityFund

                              RE: https://hachyderm.io/@nivenly/114268491892140498

                              ? Offline
                              ? Offline
                              Guest
                              wrote on last edited by
                              #14

                              @thisismissem @nivenly This is amazing. Congratulations, and good work!

                              thisismissem@hachyderm.ioT 1 Reply Last reply
                              0
                              • ? Guest

                                @thisismissem @nivenly This is amazing. Congratulations, and good work!

                                thisismissem@hachyderm.ioT This user is from outside of this forum
                                thisismissem@hachyderm.ioT This user is from outside of this forum
                                [email protected]
                                wrote on last edited by
                                #15

                                @miah @nivenly thank you!

                                1 Reply Last reply
                                0
                                • thisismissem@hachyderm.ioT [email protected]

                                  aaand aaah, TechCrunch have covered the announcement! Thanks @Sarahp!

                                  https://techcrunch.com/2025/04/02/a-new-security-fund-opens-up-to-help-protect-the-fediverse/

                                  ? Offline
                                  ? Offline
                                  Guest
                                  wrote on last edited by
                                  #16

                                  @thisismissem @Sarahp This is awesome!

                                  1 Reply Last reply
                                  0
                                  • thisismissem@hachyderm.ioT [email protected]

                                    This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

                                    You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

                                    I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

                                    #fediverse #security #nivenly #FediverseSecurityFund

                                    RE: https://hachyderm.io/@nivenly/114268491892140498

                                    julian@community.nodebb.orgJ This user is from outside of this forum
                                    julian@community.nodebb.orgJ This user is from outside of this forum
                                    [email protected]
                                    wrote on last edited by
                                    #17

                                    @[email protected] what would buy-in from fediverse software look like?

                                    NodeBB has its own bug bounty program that awards reporters directly, but if the FSF were to shoulder the grunt work of reporting (and act as a liaison between us and the reporter), we'd be happy to discuss covering the reward and associated costs, for reports that come from Nivenly directly.

                                    I know the program is meant to benefit all fedi software and there's (I think?) no expectation of compensation from the software owners themselves, but in this case NodeBB would be happy to cover at least the reward portion for any vulnerabilities disclosed. We're not raking in huge amounts of money ourselves, but our bounty program is one of the last things we will cut.

                                    thisismissem@hachyderm.ioT 1 Reply Last reply
                                    0
                                    • julian@community.nodebb.orgJ [email protected]

                                      @[email protected] what would buy-in from fediverse software look like?

                                      NodeBB has its own bug bounty program that awards reporters directly, but if the FSF were to shoulder the grunt work of reporting (and act as a liaison between us and the reporter), we'd be happy to discuss covering the reward and associated costs, for reports that come from Nivenly directly.

                                      I know the program is meant to benefit all fedi software and there's (I think?) no expectation of compensation from the software owners themselves, but in this case NodeBB would be happy to cover at least the reward portion for any vulnerabilities disclosed. We're not raking in huge amounts of money ourselves, but our bounty program is one of the last things we will cut.

                                      thisismissem@hachyderm.ioT This user is from outside of this forum
                                      thisismissem@hachyderm.ioT This user is from outside of this forum
                                      [email protected]
                                      wrote on last edited by
                                      #18

                                      @julian you're still receiving the vulnerability reports directly with the Fediverse Security Fund; we pay *after* you've confirmed & patched.

                                      I wasn't aware of your bug bounty program, but could list that alongside your project.

                                      julian@community.nodebb.orgJ 1 Reply Last reply
                                      0
                                      • thisismissem@hachyderm.ioT [email protected]

                                        @julian you're still receiving the vulnerability reports directly with the Fediverse Security Fund; we pay *after* you've confirmed & patched.

                                        I wasn't aware of your bug bounty program, but could list that alongside your project.

                                        julian@community.nodebb.orgJ This user is from outside of this forum
                                        julian@community.nodebb.orgJ This user is from outside of this forum
                                        [email protected]
                                        wrote on last edited by
                                        #19

                                        @[email protected] great. I'm thinking that for reports coming from Fediverse Security Fund directly, we'd cover the reward portion (the High (7.0 - 8.9) – $250 USD, Critical (9.0+) – $500 USD) part, either directly to the reporter or more likely through an in-kind donation back to the fund.

                                        Also the fund may need a better acronym... FSF πŸ˜…

                                        1 Reply Last reply
                                        0
                                        • thisismissem@hachyderm.ioT This user is from outside of this forum
                                          thisismissem@hachyderm.ioT This user is from outside of this forum
                                          [email protected]
                                          wrote on last edited by
                                          #20

                                          @julian so the reports don't come from Nivenly, the reports come from researchers and contributors and go directly to you. Once you accept & fix, and publish the advisory, the researcher/contributor can come to us and we'll pay them for their responsible disclosure.

                                          They could also still collect from your bounty program as well, so rather than them getting just $256 or $512 from your program, they could get $506 or $1012 in total, because they can claim both bounties (if your program allows it)

                                          (I mean, it's better than Fediverse Security Bounty β€” FSB πŸ˜‚)

                                          julian@community.nodebb.orgJ esk@hachyderm.ioE 2 Replies Last reply
                                          0
                                          Reply
                                          • Reply as topic
                                          Log in to reply
                                          • Oldest to Newest
                                          • Newest to Oldest
                                          • Most Votes


                                          • Login

                                          • Login or register to search.
                                          • First post
                                            Last post
                                          0
                                          • Categories
                                          • Recent
                                          • Tags
                                          • Popular
                                          • World
                                          • Users
                                          • Groups