Skip to content
  • Categories
  • Recent
  • Popular
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

NodeBB-ActivityPub Bridge Test Instance

  1. Home
  2. Categories
  3. General Discussion
  4. AP Test (community.nodebb.org)
  5. This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

Scheduled Pinned Locked Moved AP Test (community.nodebb.org)
fediversesecuritynivenlyfediversesecuri
26 Posts 12 Posters 190 Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • thisismissem@hachyderm.ioT This user is from outside of this forum
    thisismissem@hachyderm.ioT This user is from outside of this forum
    thisismissem@hachyderm.io
    wrote on last edited by
    #1

    This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

    You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

    I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

    #fediverse #security #nivenly #FediverseSecurityFund

    RE: https://hachyderm.io/@nivenly/114268491892140498

    janl@narrativ.esJ thisismissem@hachyderm.ioT box464@mastodon.socialB sbectol@toot.walesS rwg@aoir.socialR 8 Replies Last reply
    0
    • thisismissem@hachyderm.ioT thisismissem@hachyderm.io

      This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

      You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

      I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

      #fediverse #security #nivenly #FediverseSecurityFund

      RE: https://hachyderm.io/@nivenly/114268491892140498

      janl@narrativ.esJ This user is from outside of this forum
      janl@narrativ.esJ This user is from outside of this forum
      janl@narrativ.es
      wrote on last edited by
      #2

      @thisismissem oh hell yea

      thisismissem@hachyderm.ioT 1 Reply Last reply
      0
      • janl@narrativ.esJ janl@narrativ.es

        @thisismissem oh hell yea

        thisismissem@hachyderm.ioT This user is from outside of this forum
        thisismissem@hachyderm.ioT This user is from outside of this forum
        thisismissem@hachyderm.io
        wrote on last edited by
        #3

        @janl told y'all I was announcing something this week that I'm incredibly proud of!

        1 Reply Last reply
        0
        • thisismissem@hachyderm.ioT thisismissem@hachyderm.io

          This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

          You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

          I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

          #fediverse #security #nivenly #FediverseSecurityFund

          RE: https://hachyderm.io/@nivenly/114268491892140498

          thisismissem@hachyderm.ioT This user is from outside of this forum
          thisismissem@hachyderm.ioT This user is from outside of this forum
          thisismissem@hachyderm.io
          wrote on last edited by
          #4

          One of the interesting clauses on the program is that we expect researchers and contributors to follow the Nivenly Covenant when reporting security vulnerabilities to be eligible for the program.

          We want to encourage positive contributions, after we've seen several announcements of security vulnerabilities where the reporter treated the project with disregard or insulted the team behind it. That isn't cool.

          We can together all make a safer fediverse.

          thisismissem@hachyderm.ioT 1 Reply Last reply
          0
          • thisismissem@hachyderm.ioT thisismissem@hachyderm.io

            One of the interesting clauses on the program is that we expect researchers and contributors to follow the Nivenly Covenant when reporting security vulnerabilities to be eligible for the program.

            We want to encourage positive contributions, after we've seen several announcements of security vulnerabilities where the reporter treated the project with disregard or insulted the team behind it. That isn't cool.

            We can together all make a safer fediverse.

            thisismissem@hachyderm.ioT This user is from outside of this forum
            thisismissem@hachyderm.ioT This user is from outside of this forum
            thisismissem@hachyderm.io
            wrote on last edited by
            #5

            We also know that GitHub Sponsors isn't super ideal for payments, but it's a way for us to test the program and ensure compliance with KYC/AML and various other legal requirements.

            Hopefully in the future we'll be able to offer more ways to pay the bounties out, if the program continues.

            thisismissem@hachyderm.ioT 1 Reply Last reply
            0
            • thisismissem@hachyderm.ioT thisismissem@hachyderm.io

              This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

              You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

              I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

              #fediverse #security #nivenly #FediverseSecurityFund

              RE: https://hachyderm.io/@nivenly/114268491892140498

              box464@mastodon.socialB This user is from outside of this forum
              box464@mastodon.socialB This user is from outside of this forum
              box464@mastodon.social
              wrote on last edited by
              #6

              @thisismissem Thanks for your advocacy work on this!

              1 Reply Last reply
              0
              • thisismissem@hachyderm.ioT thisismissem@hachyderm.io

                This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

                You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

                I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

                #fediverse #security #nivenly #FediverseSecurityFund

                RE: https://hachyderm.io/@nivenly/114268491892140498

                sbectol@toot.walesS This user is from outside of this forum
                sbectol@toot.walesS This user is from outside of this forum
                sbectol@toot.wales
                wrote on last edited by
                #7

                @thisismissem hi sorry if this isn't wanted but you've a typo in the first post "after we noticed that security vulnerabilities weren't being responsibly.." think maybe you forgot to write a word?

                Keep up the good work

                thisismissem@hachyderm.ioT 1 Reply Last reply
                0
                • sbectol@toot.walesS sbectol@toot.wales

                  @thisismissem hi sorry if this isn't wanted but you've a typo in the first post "after we noticed that security vulnerabilities weren't being responsibly.." think maybe you forgot to write a word?

                  Keep up the good work

                  thisismissem@hachyderm.ioT This user is from outside of this forum
                  thisismissem@hachyderm.ioT This user is from outside of this forum
                  thisismissem@hachyderm.io
                  wrote on last edited by
                  #8

                  @Sbectol oh, good catch! My brains' off in the clouds today, I swear πŸ˜…

                  1 Reply Last reply
                  0
                  • thisismissem@hachyderm.ioT thisismissem@hachyderm.io

                    We also know that GitHub Sponsors isn't super ideal for payments, but it's a way for us to test the program and ensure compliance with KYC/AML and various other legal requirements.

                    Hopefully in the future we'll be able to offer more ways to pay the bounties out, if the program continues.

                    thisismissem@hachyderm.ioT This user is from outside of this forum
                    thisismissem@hachyderm.ioT This user is from outside of this forum
                    thisismissem@hachyderm.io
                    wrote on last edited by
                    #9

                    aaand aaah, TechCrunch have covered the announcement! Thanks @Sarahp!

                    https://techcrunch.com/2025/04/02/a-new-security-fund-opens-up-to-help-protect-the-fediverse/

                    thenexusofprivacy@infosec.exchangeT phillycodehound@indieweb.socialP liaizon@wake.stL 3 Replies Last reply
                    0
                    • thisismissem@hachyderm.ioT thisismissem@hachyderm.io

                      This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

                      You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

                      I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

                      #fediverse #security #nivenly #FediverseSecurityFund

                      RE: https://hachyderm.io/@nivenly/114268491892140498

                      rwg@aoir.socialR This user is from outside of this forum
                      rwg@aoir.socialR This user is from outside of this forum
                      rwg@aoir.social
                      wrote on last edited by
                      #10

                      @thisismissem @nivenly this is such a cool and needed project!

                      1 Reply Last reply
                      0
                      • thisismissem@hachyderm.ioT thisismissem@hachyderm.io

                        This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

                        You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

                        I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

                        #fediverse #security #nivenly #FediverseSecurityFund

                        RE: https://hachyderm.io/@nivenly/114268491892140498

                        quillmatiq@mastodon.socialQ This user is from outside of this forum
                        quillmatiq@mastodon.socialQ This user is from outside of this forum
                        quillmatiq@mastodon.social
                        wrote on last edited by
                        #11

                        @thisismissem @nivenly This is awesome - congrats and so excited that you're a part of this!

                        thisismissem@hachyderm.ioT 1 Reply Last reply
                        0
                        • quillmatiq@mastodon.socialQ quillmatiq@mastodon.social

                          @thisismissem @nivenly This is awesome - congrats and so excited that you're a part of this!

                          thisismissem@hachyderm.ioT This user is from outside of this forum
                          thisismissem@hachyderm.ioT This user is from outside of this forum
                          thisismissem@hachyderm.io
                          wrote on last edited by
                          #12

                          @quillmatiq @nivenly it's something I'm really proud of, and hopefully it can help do some good.

                          1 Reply Last reply
                          0
                          • thisismissem@hachyderm.ioT thisismissem@hachyderm.io

                            aaand aaah, TechCrunch have covered the announcement! Thanks @Sarahp!

                            https://techcrunch.com/2025/04/02/a-new-security-fund-opens-up-to-help-protect-the-fediverse/

                            thenexusofprivacy@infosec.exchangeT This user is from outside of this forum
                            thenexusofprivacy@infosec.exchangeT This user is from outside of this forum
                            thenexusofprivacy@infosec.exchange
                            wrote on last edited by
                            #13

                            A great project! Thanks @Sarahp for covering it!

                            1 Reply Last reply
                            0
                            • thisismissem@hachyderm.ioT thisismissem@hachyderm.io

                              This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

                              You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

                              I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

                              #fediverse #security #nivenly #FediverseSecurityFund

                              RE: https://hachyderm.io/@nivenly/114268491892140498

                              miah@hachyderm.ioM This user is from outside of this forum
                              miah@hachyderm.ioM This user is from outside of this forum
                              miah@hachyderm.io
                              wrote on last edited by
                              #14

                              @thisismissem @nivenly This is amazing. Congratulations, and good work!

                              thisismissem@hachyderm.ioT 1 Reply Last reply
                              0
                              • miah@hachyderm.ioM miah@hachyderm.io

                                @thisismissem @nivenly This is amazing. Congratulations, and good work!

                                thisismissem@hachyderm.ioT This user is from outside of this forum
                                thisismissem@hachyderm.ioT This user is from outside of this forum
                                thisismissem@hachyderm.io
                                wrote on last edited by
                                #15

                                @miah @nivenly thank you!

                                1 Reply Last reply
                                0
                                • thisismissem@hachyderm.ioT thisismissem@hachyderm.io

                                  aaand aaah, TechCrunch have covered the announcement! Thanks @Sarahp!

                                  https://techcrunch.com/2025/04/02/a-new-security-fund-opens-up-to-help-protect-the-fediverse/

                                  phillycodehound@indieweb.socialP This user is from outside of this forum
                                  phillycodehound@indieweb.socialP This user is from outside of this forum
                                  phillycodehound@indieweb.social
                                  wrote on last edited by
                                  #16

                                  @thisismissem @Sarahp This is awesome!

                                  1 Reply Last reply
                                  0
                                  • thisismissem@hachyderm.ioT thisismissem@hachyderm.io

                                    This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

                                    You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

                                    I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

                                    #fediverse #security #nivenly #FediverseSecurityFund

                                    RE: https://hachyderm.io/@nivenly/114268491892140498

                                    julian@community.nodebb.orgJ This user is from outside of this forum
                                    julian@community.nodebb.orgJ This user is from outside of this forum
                                    julian@community.nodebb.org
                                    wrote on last edited by
                                    #17

                                    @thisismissem@hachyderm.io what would buy-in from fediverse software look like?

                                    NodeBB has its own bug bounty program that awards reporters directly, but if the FSF were to shoulder the grunt work of reporting (and act as a liaison between us and the reporter), we'd be happy to discuss covering the reward and associated costs, for reports that come from Nivenly directly.

                                    I know the program is meant to benefit all fedi software and there's (I think?) no expectation of compensation from the software owners themselves, but in this case NodeBB would be happy to cover at least the reward portion for any vulnerabilities disclosed. We're not raking in huge amounts of money ourselves, but our bounty program is one of the last things we will cut.

                                    thisismissem@hachyderm.ioT 1 Reply Last reply
                                    0
                                    • julian@community.nodebb.orgJ julian@community.nodebb.org

                                      @thisismissem@hachyderm.io what would buy-in from fediverse software look like?

                                      NodeBB has its own bug bounty program that awards reporters directly, but if the FSF were to shoulder the grunt work of reporting (and act as a liaison between us and the reporter), we'd be happy to discuss covering the reward and associated costs, for reports that come from Nivenly directly.

                                      I know the program is meant to benefit all fedi software and there's (I think?) no expectation of compensation from the software owners themselves, but in this case NodeBB would be happy to cover at least the reward portion for any vulnerabilities disclosed. We're not raking in huge amounts of money ourselves, but our bounty program is one of the last things we will cut.

                                      thisismissem@hachyderm.ioT This user is from outside of this forum
                                      thisismissem@hachyderm.ioT This user is from outside of this forum
                                      thisismissem@hachyderm.io
                                      wrote on last edited by
                                      #18

                                      @julian you're still receiving the vulnerability reports directly with the Fediverse Security Fund; we pay *after* you've confirmed & patched.

                                      I wasn't aware of your bug bounty program, but could list that alongside your project.

                                      julian@community.nodebb.orgJ 1 Reply Last reply
                                      0
                                      • thisismissem@hachyderm.ioT thisismissem@hachyderm.io

                                        @julian you're still receiving the vulnerability reports directly with the Fediverse Security Fund; we pay *after* you've confirmed & patched.

                                        I wasn't aware of your bug bounty program, but could list that alongside your project.

                                        julian@community.nodebb.orgJ This user is from outside of this forum
                                        julian@community.nodebb.orgJ This user is from outside of this forum
                                        julian@community.nodebb.org
                                        wrote on last edited by
                                        #19

                                        @thisismissem@hachyderm.io great. I'm thinking that for reports coming from Fediverse Security Fund directly, we'd cover the reward portion (the High (7.0 - 8.9) – $250 USD, Critical (9.0+) – $500 USD) part, either directly to the reporter or more likely through an in-kind donation back to the fund.

                                        Also the fund may need a better acronym... FSF πŸ˜…

                                        1 Reply Last reply
                                        0
                                        • thisismissem@hachyderm.ioT This user is from outside of this forum
                                          thisismissem@hachyderm.ioT This user is from outside of this forum
                                          thisismissem@hachyderm.io
                                          wrote on last edited by
                                          #20

                                          @julian so the reports don't come from Nivenly, the reports come from researchers and contributors and go directly to you. Once you accept & fix, and publish the advisory, the researcher/contributor can come to us and we'll pay them for their responsible disclosure.

                                          They could also still collect from your bounty program as well, so rather than them getting just $256 or $512 from your program, they could get $506 or $1012 in total, because they can claim both bounties (if your program allows it)

                                          (I mean, it's better than Fediverse Security Bounty β€” FSB πŸ˜‚)

                                          julian@community.nodebb.orgJ esk@hachyderm.ioE 2 Replies Last reply
                                          0
                                          Reply
                                          • Reply as topic
                                          Log in to reply
                                          • Oldest to Newest
                                          • Newest to Oldest
                                          • Most Votes


                                          • Login

                                          • Login or register to search.
                                          Powered by NodeBB Contributors
                                          • First post
                                            Last post
                                          0
                                          • Categories
                                          • Recent
                                          • Popular