What services are provided through the Bug Resilience Program?

Currently, the Bug Resilience Program (BRP) consists of three categories of services provided in collaboration with our implementation partners.

Direct contributions with Neighbourhoodie Software GmbH
Code audits with OSTIF
Bug & fix bounties on the YesWeHack platform.

Who can apply for the Bug Resilience Program?

The Bug Resilience Program is currently invitation only. We are prioritizing technologies that STF has already identified as critical open source infrastructure.

What types of activities fall under “Direct Contributions”?

Addressing technical debt
Triaging and fixing known issues.
Code reviews
Style and contribution guides
Any code or non-code contributions that improve the technical resilience and maintainability of the software project.

How do the "Direct Contributions" work?

The goal of the Direct Contributions is to provide both code and non-code contributions to open source infrastructure that will reduce the likelihood of vulnerabilities hiding in code bases. Direct contributions also improve the maintainability of the software, ultimately making it more secure. Upon invitation to BRP, the maintainers will be introduced to Neighbourhoodie Software GmbH, which is determines the scope of the activities most needed by the project. The BRP reviews the scope of work and approves it, and Neighbourhoodie Software GmbH will then provide the contributions.

How does the "Bug & Fix Bounty Platform" work?

Once an open source infrastructure project has taken some preventative improvement steps, and/or is ready for a public bug bounty, the BRP will provide a bug bounty program on the YesWeHack platform. The participating project will be responsible for defining the scope of the bug bounty, as well as fixing the vulnerabilities that are reported. YesWeHack will provide assistance in inviting researchers and triaging the reports that come in. STF will pay a bug bounty for each responsibly disclosed vulnerability report, as well as a fix bounty to the participating project upon fixing such vulnerabilities reported through the program.

Who pays for services provided under the Bug Resilience Program?

The Sovereign Tech Fund has agreements with the implementation partners to pay the costs incurred by providing these services. Currently, we are not able to provide any compensation or investment to the participating projects beyond the fix bounties outlined above.

Does participating in the Bug Resilience Program have an impact on funding with the Sovereign Tech Fund?

Participation in the Bug Resilience Program has no bearing on any other agreements between an open source infrastructure project and the STF.

How can we provide feedback on the Bug Resilience Program?

We highly value feedback both from participating projects as well as any interested parties on our approach to bug resilience and its implementation. We will be conducting periodic evaluations through the lifetime of the project and inviting specific feedback on how well the program is meeting its goals and desired impact.

We also welcome any feedback at all times at: bugresilience@sovereigntechfund.de