The fediverse, an open social web that encompasses platforms like Mastodon, Meta’s Threads, Pixelfed, and other applications, is enhancing its security measures. On Wednesday, the Nivenly Foundation, a nonprofit dedicated to introducing governance to open-source projects, announced the creation of a new security fund. This fund aims to compensate individuals who responsibly report security vulnerabilities affecting fediverse apps and services.
Although all software is susceptible to security issues, Mastodon, as an open-source and decentralized alternative to X, has addressed numerous bugs over time, highlighting the necessity for such a program. A challenge within the fediverse is that many servers are managed by independent operators who may lack a security background or an understanding of best practices.
The Nivenly Foundation has assisted several fediverse projects in establishing basic security vulnerability reporting processes and is now prepared to award small sums to those who responsibly disclose additional security vulnerabilities that may still exist.
The compensation is set at $250 for vulnerabilities with a severity score (CVSS) of 7.0-8.9 and $500 for more critical vulnerabilities with a CVSS score of 9.0 or higher. The payouts are funded by the foundation, which receives support directly from its members, comprising both individuals and trade organizations.
Vulnerabilities are verified through acceptance by the fediverse project leads and documentation in vulnerability disclosure (CVE) databases.
Currently, the fund is undergoing a limited trial following the identification of a security vulnerability in Pixelfed, a decentralized alternative to Instagram. Open-source contributor Emelia Smith discovered the issue and explained that the Nivenly Foundation compensated her for resolving it.
A more recent issue arose when Pixelfed’s creator, Daniel Supernault, made public the details of a vulnerability before server operators had the opportunity to update, potentially exposing the fediverse to malicious entities. Supernault has issued a public apology regarding his handling of the matter, which impacted private accounts.
As part of the initiative, education is being offered to project leads to underscore the importance of responsible disclosure practices for security vulnerabilities, Smith informed TechCrunch. She remarked that some projects had inadequately advised filing security vulnerabilities in public issue trackers, which poses risks, as malicious actors monitoring the repository could exploit the information.
Typically, the common practice involves disclosing minimal information about a vulnerability to allow server operators time to upgrade, according to Smith. However, this requires project leads to be knowledgeable about security best practices.
In response to the Pixelfed issue, the Hachyderm Mastodon server, with over 9,500 members, decided it needed to defederate from other Pixelfed servers that had not been updated to protect its users.
With this new program aimed at adhering to best practices in vulnerability disclosure, the need to defederate to safeguard users might decrease in frequency.
