Fediverse Security Fund Claim Inquiry — CVE-2025-54888 in Fedify

[dahlia]

I am Hong Minhee, the author and maintainer of Fedify, an ActivityPub server framework for JavaScript and TypeScript.

I would like to inquire about the process for nominating or supporting an external security researcher for funding from the Nivenly Fediverse Security Fund following their responsible disclosure of a security vulnerability in Fedify.

Vulnerability Details

CVE ID: CVE-2025-54888
GitHub Security Advisory: GHSA-6jcc-xgcr-q3h4
CVSS Score: 8.7 (High)
Severity: High (Authentication Bypass/Actor Impersonation)
Status: Fixed and publicly disclosed

The vulnerability was an authentication bypass issue that allowed any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities were being processed before verifying that the signing key belonged to the claimed actor, enabling complete actor impersonation across all Fedify instances.

Reporter and Resolution

The vulnerability was responsibly reported by Fabien O'Carroll (@allouis) through our proper security disclosure process. I, as the maintainer, implemented the fix, which has been merged and released across all supported Fedify versions.

Fabien's report was thorough, included a detailed proof of concept, and followed responsible disclosure practices. The quality of the report significantly expedited the patching process and helped ensure the security of all Fedify instances.

Eligibility and Request

According to the Fediverse Security Fund documentation:

• Fedify is listed as an eligible project
• The vulnerability qualifies as High (7.0–8.9 CVSS score) for $250 USD sponsorship
• Fabien O'Carroll is an external researcher (not part of the core maintainer team)
• The vulnerability has been properly disclosed and fixed

Information Request

I would like to understand the process for ensuring that Fabien O'Carroll receives recognition and funding from the Fediverse Security Fund for this valuable contribution to Fediverse security. Specifically:

1. Can I, as the project maintainer, nominate or recommend an external researcher for the security fund?
2. Does the researcher need to apply directly, or can the nomination come from the project maintainer?
3. What is the best way to ensure Fabien receives proper credit and the bounty for this important security contribution?
4. Are there any additional steps I should take to support Fabien's potential claim?

As the project maintainer, I want to ensure that external security researchers like Fabien are properly recognized and compensated for their valuable contributions to Fediverse security. This encourages continued responsible disclosure and helps strengthen the entire ecosystem.

Contact Information

• Project Maintainer: Hong Minhee (@dahlia)
  • GitHub: @dahlia
  • Fediverse: @hongminhee@hollo.social
• Security Researcher: Fabien O'Carroll (@allouis)
• Project: Fedify (GitHub)
• Security Advisory: GHSA-6jcc-xgcr-q3h4

Thank you for supporting security researchers and maintaining the integrity of Fediverse software through this important initiative.

[ThisIsMissEm]

The process is:

1. Security Vulnerability is responsibly disclosed and a fix published (also responsibly, if possible)
2. The researcher or contributor who found and/or fixed the vulnerability submits a request for payment (details soon) to the Fediverse Security Fund.
3. We review the request and check that it satisfies the terms.
4. If approved, we make a payment within 10 business days via GitHub Sponsors.

Can I, as the project maintainer, nominate or recommend an external researcher for the security fund?

No nomination is necessary, we check the CVE and GitHub Security Vulnerability reports for the details, and review the relevant information.

Does the researcher need to apply directly, or can the nomination come from the project maintainer?

Yes, the researcher and/or contributor needs to apply directly, since we need details from them for the payment (i.e., their github sponsors URL and email address)

What is the best way to ensure Fabien receives proper credit and the bounty for this important security contribution?

By publishing the security vulnerability report and/or CVE, and publicising that they made a responsible disclosure of a security vulnerability to your project through your social channels. On GitHub Security Advisories, the reporter can claim credits for the vulnerability report, and this looks like this is already the case for this CVE.

Are there any additional steps I should take to support Fabien's potential claim?

We'll reach out if we need to confirm or verify anything. But for this security vulnerability, I believe everything is in order. We may need to verify Fabian's identity (email, github) by some means, most likely via editing the security vulnerability, adding @nivenly-foundation to Credits as Sponsor on the GitHub Security Advisory.

[dahlia]

Thank you for the detailed explanation! I've added @nivenly-foundation to the credits as Sponsor on the GitHub Security Advisory as suggested.

I'll reach out to Fabien O'Carroll (@allouis) to inform him about the Fediverse Security Fund and the process for submitting a claim directly.

Thanks again for supporting security researchers and the fediverse ecosystem through this important initiative!