Sovereign Tech Resilience FAQ

Currently, Sovereign Tech Resilience consists of three categories of services provided in collaboration with our implementation partners.

• Direct contributions with Neighbourhoodie Software
• Code audits with OSTIF
• Bug & fix bounties on the YesWeHack platform.

Sovereign Tech Resilience is open to applications from FOSS infrastructure projects. Applications that do meet the criteria will be invited to join Sovereign Tech Resilience on a first-come, first-serve basis. Find out more about the application process on the Sovereign Tech Resilience webpage.

• Addressing technical debt
• Triaging and fixing known issues.
• Code reviews
• Style and contribution guides
• Improving test coverage and testing facilities
• Implementing release automations
• Any code or non-code contributions that improve the technical resilience and maintainability of the software project.

The goal of the Direct Contributions is to provide both code and non-code contributions to open source infrastructure that will reduce the likelihood of vulnerabilities hiding in code bases. Direct contributions also improve the maintainability of the software, ultimately making it more secure. Upon invitation to Sovereign Tech Resilience, the maintainers will be introduced to Neighbourhoodie Software, which is determines the scope of the activities most needed by the project. The Sovereign Tech Resilience program reviews the scope of work and approves it, and Neighbourhoodie Software then provides the contributions.

Once an open source infrastructure project has taken some preventative improvement steps, and/or is ready for a public bug bounty, Sovereign Tech Resilience will provide a bug bounty program on the YesWeHack platform. The participating project will be responsible for defining the scope of the bug bounty, as well as fixing the vulnerabilities that are reported. YesWeHack will provide assistance in inviting researchers and triaging the reports that come in. The Sovereign Tech Agency will pay a bug bounty for each responsibly disclosed vulnerability report, as well as a fix bounty to the participating project upon fixing such vulnerabilities reported through the program.

The Sovereign Tech Agency has agreements with the implementation partners to pay the costs incurred by providing these services. Currently, we are not able to provide any compensation or investment to the participating projects beyond the fix bounties outlined above.

Participation in Sovereign Tech Resilience has no bearing on any other agreements between an open source infrastructure project and the Sovereign Tech Agency or any other programs.

We highly value feedback both from participating projects as well as any interested parties on our approach to bug resilience and its implementation. Through the lifetime of the project, we will be conducting periodic evaluations and inviting specific feedback on how well the program is meeting its goals and desired impact.

We also welcome any feedback at all times at: bugresilience@sovereigntechfund.de

If you are a funder or a vulnerability management expert who would like on collaborate with Sovereign Tech Resilience, please email partnerships@bugresilience.de