The fediverse, a decentralized and open social web comprising platforms like Mastodon, Meta's Threads, and Pixelfed, is taking a significant step towards enhancing its security posture. On Wednesday, the Nivenly Foundation, a nonprofit organization focused on governance in open source projects, announced the launch of a new security fund designed to incentivize responsible vulnerability disclosure in fediverse apps and services.

The need for such a program is underscored by the fact that Mastodon, an open source and decentralized alternative to traditional social media platforms, has fixed numerous security bugs over the years. Moreover, many servers in the fediverse are operated by independent individuals who may not possess a security background or understand best practices, making them vulnerable to security threats.

The Nivenly Foundation's security fund aims to address this issue by paying individuals who responsibly disclose security vulnerabilities affecting fediverse apps and services. The fund will distribute payouts of $250 for vulnerabilities with a CVSS score of 7.0-8.9 and $500 for more critical vulnerabilities with a CVSS score of 9.0 or greater. These funds will be sourced from the foundation, which is supported by its members, including individuals and trade organizations.

The validation process for reported vulnerabilities will involve acceptance from fediverse project leads as well as public records in vulnerability disclosure (CVE) databases. The fund is currently in a limited trial phase, following the discovery of a security vulnerability in Pixelfed, a decentralized Instagram alternative. Open source contributor Emelia Smith identified the issue, and the Nivenly Foundation paid her to fix it.

However, the vulnerability disclosure process was complicated by Pixelfed's creator, Daniel Supernault, who made the details public before server operators had a chance to update, potentially leaving the fediverse vulnerable to malicious actors. Supernault has since apologized publicly for his handling of the issue, which affected private accounts.

Emelia Smith emphasized the importance of responsible disclosure practices, stating that "part of the program is...education for project leads, helping them understand why responsible disclosure practices for security vulnerabilities are important." She noted that some projects had previously instructed users to file security vulnerabilities in public issue trackers, which is not a secure practice as it allows malicious actors to exploit the vulnerability.

Typically, the common practice is to disclose minimal information about a vulnerability, giving server operators time to upgrade. However, this requires project leads to understand security best practices. In the case of the Pixelfed issue, the Hachyderm Mastodon server, which has over 9,500 members, decided to defederate (or disconnect from) other Pixelfed servers that hadn't been updated in order to protect their users.

The new program, designed to follow best practices around vulnerability disclosure, may reduce the need for defederation to protect users in the future. By promoting responsible disclosure and incentivizing security researchers to report vulnerabilities, the fediverse can improve its overall security posture and provide a safer experience for its users.

The launch of this security fund marks a significant step towards maturing the fediverse's security practices and demonstrates the community's commitment to protecting its users. As the fediverse continues to grow and evolve, initiatives like this will play a crucial role in ensuring the security and integrity of the open social web.