The fediverse — a decentralized network of social platforms like Mastodon, Threads (by Meta), and Pixelfed — is taking a significant step toward improving its security. On Wednesday, the Nivenly Foundation, a nonprofit dedicated to supporting open-source governance, introduced a new security fund aimed at encouraging responsible disclosure of vulnerabilities affecting these platforms.
Although bugs are inevitable in any software, platforms like Mastodon — a decentralized alternative to X (formerly Twitter) — have seen their fair share of security flaws over the years. Compounding the issue, many fediverse servers are managed by hobbyists or volunteers who may not have formal security training. This makes the ecosystem particularly vulnerable and highlights the need for structured security initiatives.
The Nivenly Foundation has already begun assisting several fediverse projects with setting up basic protocols for reporting vulnerabilities. Now, with this newly established fund, the foundation plans to offer financial rewards to individuals who responsibly disclose new security issues.
The reward structure is tiered: $250 will be granted for vulnerabilities rated between 7.0 and 8.9 on the CVSS (Common Vulnerability Scoring System) scale, and $500 will be awarded for more critical bugs rated 9.0 or higher. These payouts are funded by contributions from both individuals and supporting organizations affiliated with the foundation.
Before a payout is issued, all reported vulnerabilities must be verified and accepted by project leads, and must be documented in public vulnerability databases like CVE.
The fund is currently operating in a trial phase. It gained momentum after open-source contributor Emelia Smith identified and helped fix a vulnerability in Pixelfed, an Instagram-style decentralized app. The foundation compensated her for her efforts.
However, a recent misstep by Pixelfed’s creator, Daniel Supernault, raised concerns when he revealed a security flaw publicly before server operators had time to patch it — a move that could have exposed the network to potential attacks. He later issued a public apology for the premature disclosure.
Smith emphasized that one of the program’s key goals is to educate project leaders on the importance of responsible vulnerability reporting. “We found some projects suggesting users report vulnerabilities in public forums, which is incredibly risky,” she said. Responsible disclosure, where only limited information is shared until patches are applied, is essential for protecting the community.
As the program matures, it’s expected to help the fediverse strengthen its security posture and reduce the need for drastic actions like defederation, where servers disconnect from others to prevent risk to their users.
