Hi everyone, I got an email that the Sovereign Tech Fund extended an invitation to the Bug Resilience Program, because we participated in last year's Contribute Back Challenge, which means that Nix/Nixpkgs/NixOS is considered critical infrastructure.

Very briefly, the offer is:

• Developer time provided by a software consultancy
• Get hosted on YesWeHack with a bug bounty program, and get an unspecified amount of funding to pay bounties
• Get security audits conducted by OSTIF

As these are largely in-kind contributions, those require resources to get accepted. Is there interest in the security community to capture that influx of attention?

The applications are "first come first serve", so if the general sentiment is that we should pursue it, that decision and a write-up should happen very soon (presumably on the order of days).
In particular we would have to define a scope to which the audits and bug bounties extend. A natural choice would be C++ Nix, but it could in principle also be the Nixpkgs/NixOS code base or our contribution workflows.

What do you think? I also posted this on Nix Hackers since getting developer time is something we wanted for many months now, and Security Discussions since it's about security.