This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.
-
@julian so the reports don't come from Nivenly, the reports come from researchers and contributors and go directly to you. Once you accept & fix, and publish the advisory, the researcher/contributor can come to us and we'll pay them for their responsible disclosure.
They could also still collect from your bounty program as well, so rather than them getting just $256 or $512 from your program, they could get $506 or $1012 in total, because they can claim both bounties (if your program allows it)
(I mean, it's better than Fediverse Security Bounty — FSB
)@thisismissem@hachyderm.io ah understood. I didn't quite get how the fund worked, but it makes more sense now (and is much simpler—organizationally—for Nivenly!)
I don't think we'll add exclusions for security fund recipients
I would say, though, that one of the requirements has to be that the affected software accepts the vulnerability. Plenty of self-proclaimed "security researchers" have filed reports, and some go as far as to publish CVEs (against our own software!) without our permission.
Quite the opposite of responsible disclosure.
