New Security Fund Launched to Protect the Fediverse
The open social web, known as the fediverse — a decentralized ecosystem of apps like Mastodon, Threads by Meta, and Pixelfed — is taking a big step forward in strengthening its digital defenses. On Wednesday, the Nivenly Foundation, a nonprofit dedicated to governance in open source, announced a new security fund aimed at incentivizing responsible vulnerability disclosures across fediverse apps and services.
While security is a concern for all software, the fediverse faces unique challenges. Many of its servers are run by independent operators who may lack formal security training or knowledge of best practices. Mastodon, one of the leading platforms in the fediverse, has seen its fair share of bugs patched over the years, underscoring the need for a more proactive, structured approach to securing this open ecosystem.
To address this, the Nivenly Foundation’s new initiative will offer financial rewards to contributors who responsibly disclose vulnerabilities. Rewards are set at $250 for high-severity issues (CVSS score 7.0–8.9) and $500 for critical vulnerabilities (CVSS 9.0+). The payouts will be funded directly by the Foundation’s members, which include individuals and organizations supporting open source development.
Before any payout is made, the reported vulnerabilities must be validated — both by project leads of the affected fediverse apps and through listings in public CVE (Common Vulnerabilities and Exposures) databases.
The program is currently in a limited trial phase, launched in response to a real-world issue found in Pixelfed, a decentralized Instagram alternative. Emelia Smith, an open source contributor, discovered the vulnerability and was paid by the Foundation for her work in fixing it.
The situation highlighted a key problem: Pixelfed’s creator, Daniel Supernault, had disclosed the vulnerability publicly before giving server operators a chance to patch their systems, leaving users exposed to potential attacks. While Supernault later apologized, the incident reinforced the importance of responsible disclosure practices — a principle at the heart of the new Nivenly initiative.
“Part of the program is… education for project leads,” Smith explained, noting that some projects advised users to report vulnerabilities via public issue trackers — a dangerous approach that could give malicious actors a roadmap to exploit unpatched systems.
In a particularly telling response to the Pixelfed vulnerability, the Hachyderm Mastodon server — which serves over 9,500 users — chose to defederate from Pixelfed instances that hadn't applied updates, effectively cutting ties to protect its community.
The Nivenly Foundation hopes its structured program, grounded in best practices for vulnerability disclosure, will reduce the need for drastic defensive actions like defederation. By providing incentives, education, and a formal process for reporting vulnerabilities, the fediverse is maturing into a more secure and resilient open web.
As more users and developers embrace decentralized platforms, ensuring a strong security foundation will be critical. The Nivenly Foundation’s new fund marks a meaningful move toward making the fediverse safer for everyone.
