Bug Resilience Program FAQ

Frequently asked questions about different aspects of the Sovereign Tech Fund's Bug Resilience Program

What services are provided through the Bug Resilience Program?

Currently, the Bug Resilience Program (BRP) consists of three categories of services provided in collaboration with our implementation partners.

  • Direct contributions with Neighbourhoodie Software
  • Code audits with OSTIF
  • Bug & fix bounties on the YesWeHack platform.

Who can apply for the Bug Resilience Program?

The Bug Resilience Program is open to applications from FOSS infrastructure projects. Applications that do meet the criteria will be invited to join BRP on a first-come, first-serve basis. Find out more about the application process on the BRP webpage.

What types of activities fall under “Direct Contributions”?

  • Addressing technical debt
  • Triaging and fixing known issues.
  • Code reviews
  • Style and contribution guides
  • Improving test coverage and testing facilities
  • Implementing release automations
  • Any code or non-code contributions that improve the technical resilience and maintainability of the software project.

How do the "Direct Contributions" work?

The goal of the Direct Contributions is to provide both code and non-code contributions to open source infrastructure that will reduce the likelihood of vulnerabilities hiding in code bases. Direct contributions also improve the maintainability of the software, ultimately making it more secure. Upon invitation to BRP, the maintainers will be introduced to Neighbourhoodie Software, which is determines the scope of the activities most needed by the project. The BRP reviews the scope of work and approves it, and Neighbourhoodie Software then provides the contributions.

How does the "Bug & Fix Bounty Platform" work?

Once an open source infrastructure project has taken some preventative improvement steps, and/or is ready for a public bug bounty, the BRP will provide a bug bounty program on the YesWeHack platform. The participating project will be responsible for defining the scope of the bug bounty, as well as fixing the vulnerabilities that are reported. YesWeHack will provide assistance in inviting researchers and triaging the reports that come in. STF will pay a bug bounty for each responsibly disclosed vulnerability report, as well as a fix bounty to the participating project upon fixing such vulnerabilities reported through the program.

Who pays for services provided under the Bug Resilience Program?

The Sovereign Tech Fund has agreements with the implementation partners to pay the costs incurred by providing these services. Currently, we are not able to provide any compensation or investment to the participating projects beyond the fix bounties outlined above.

Does participating in the Bug Resilience Program have an impact on funding with the Sovereign Tech Fund?

Participation in the Bug Resilience Program has no bearing on any other agreements between an open source infrastructure project and the STF.

How can we provide feedback on the Bug Resilience Program?

We highly value feedback both from participating projects as well as any interested parties on our approach to bug resilience and its implementation. Through the lifetime of the project, we will be conducting periodic evaluations and inviting specific feedback on how well the program is meeting its goals and desired impact.

We also welcome any feedback at all times at: bugresilience@sovereigntechfund.de

How can I help with the mission of Bug Resilience Program?

If you are a funder or a vulnerability management expert who would like on collaborate with the BRP, please email partnerships@bugresilience.de