As the fediverse — the decentralized, open social web that includes platforms like Mastodon, Threads, and Pixelfed. Continues to grow, it’s also facing increasing scrutiny over security vulnerabilities. Now, a new initiative is stepping up to make the space safer.
This week, the Nivenly Foundation, a nonprofit dedicated to supporting open source governance. Launched a Fediverse Security Fund to reward responsible disclosures of vulnerabilities across fediverse apps and services. The goal is simple: encourage ethical hacking while promoting safer standards across decentralized platforms.
Mastodon, often described as an open source alternative to X (formerly Twitter), has seen its share of bugs patched over time. But because many fediverse servers are run by volunteers or small teams without formal security training, gaps still exist. That’s where the fund comes in.
The program will offer $250 payouts for medium-to-high severity vulnerabilities (scoring 7.0–8.9 on the CVSS scale) and $500 for critical issues rated 9.0 or above. These payments are funded directly by the foundation’s members — a mix of individuals and trade organizations supporting the open social web.
To qualify for a payout, vulnerabilities must be verified by the affected project’s lead developers and included in public CVE (Common Vulnerabilities and Exposures) records. The Nivenly Foundation has already assisted several fediverse projects in setting up more secure vulnerability reporting systems, laying the groundwork for responsible security disclosure.
The fund is currently in a limited trial phase, following a real-world incident involving Pixelfed, a decentralized photo-sharing platform. Open source contributor Emelia Smith discovered a vulnerability and was compensated by the foundation to help resolve it.
However, another incident involving Pixelfed’s creator, Daniel Supernault, highlighted the ongoing need for education. Supernault publicly shared details of a vulnerability before many server operators had a chance to update. A move that could have exposed users to risk. He later apologized for how he handled the disclosure, which had impacted users with private accounts.
“Part of this program is about educating project leads, helping them understand why responsible disclosure is critical,” Smith explained. She added that many projects initially allowed security vulnerabilities to be posted directly in public issue trackers. A major risk in open source communities. “That approach gives malicious actors immediate visibility into the issue before it’s fixed,” she warned.
Best practice in open source security means providing minimal public detail at first. Giving server operators time to upgrade before the specifics of an exploit are made widely known. But not all maintainers are familiar with that standard.
In the Pixelfed case, the Hachyderm Mastodon server, which has over 9,500 users. Temporarily chose to defederate from unpatched Pixelfed servers to protect its community.
With the Nivenly Foundation’s new fund and structured process for responsible disclosure, Smith hopes that these emergency actions will become less common. By rewarding ethical hackers and promoting safer practices, the foundation aims to strengthen the fediverse without sacrificing its core values of decentralization and openness.
