The fediverse, also referred to as the open social web that encompasses Mastodon, Meta’s Threads, Pixelfed, and other applications, is enhancing its security measures. On Wednesday, the Nivenly Foundation, a nonprofit organization focused on bringing governance to open-source projects, announced the launch of a new security fund designed to compensate individuals who responsibly disclose security vulnerabilities affecting fediverse applications and services.

Like all software, the fediverse is susceptible to security issues. Mastodon, an open-source, decentralized alternative, has addressed numerous bugs over the years, underscoring the need for such a program. Furthermore, many servers within the fediverse are operated by independent individuals who may not possess a security background or be familiar with best practices, which can exacerbate the issue.

The Nivenly Foundation has already assisted several fediverse projects in establishing their basic security vulnerability reporting processes. Now, it is seeking to distribute modest payouts to individuals who responsibly disclose other security vulnerabilities that may still exist.

The payouts will amount to $250 for vulnerabilities with a vulnerability severity score (known as CVSS) of 7.0-8.9 and $500 for more critical vulnerabilities with a CVSS score of 9.0 or greater. The funds for these payouts are provided by the foundation, which is supported directly by members, including individuals and trade organizations.

The validation of vulnerabilities is carried out through acceptance by fediverse project leads, as well as public records in vulnerability disclosure (CVE) databases.

The fund is currently in a limited trial phase, following the discovery of a security vulnerability in the decentralized Instagram alternative, Pixelfed. Open-source contributor Emelia Smith identified the issue, and the Nivenly Foundation compensated her for resolving it, as she explains.

A more recent issue arose when Pixelfed’s creator, Daniel Supernault, publicly disclosed the details of a vulnerability before server operators had the opportunity to update, potentially leaving the fediverse vulnerable to malicious actors. (Supernault has since publicly apologized for his handling of the issue, which affected private accounts.)

“Part of the program involves educating project leads on the importance of responsible disclosure practices for security vulnerabilities,” Smith told TechCrunch. “We encountered several projects that simply instructed individuals to file security vulnerabilities in their public issue tracker, which is not a safe practice, as malicious actors monitoring that repository could exploit instances of that software,” she added.

Typically, the standard practice is to disclose minimal information about a vulnerability, allowing server operators sufficient time to upgrade, according to Smith. However, this requires project leads to be knowledgeable about security best practices.

In the case of the Pixelfed issue, the Hachyderm Mastodon server, which has over 9,500 members, decided to defederate (or disconnect from) other Pixelfed servers that hadn’t been updated in order to protect their users.

With the implementation of this new program, which adheres to best practices for vulnerability disclosure, the need for defederation to protect users may become less frequent.