Hi everyone, I got an email that the Sovereign Tech Fund extended an invitation to the Bug Resilience Program, because we participated in last year's Contribute Back Challenge, which means that Nix/Nixpkgs/NixOS is considered critical infrastructure.

Very briefly, the offer is:

• Developer time provided by a software consultancy
• Get hosted on YesWeHack with a bug bounty program, and get an unspecified amount of funding to pay bounties
• Get security audits conducted by OSTIF

As these are largely in-kind contributions, those require resources to get accepted. Is there interest in the security community to capture that influx of attention?

The applications are "first come first serve", so if the general sentiment is that we should pursue it, that decision and a write-up should happen very soon (presumably on the order of days).
In particular we would have to define a scope to which the audits and bug bounties extend. A natural choice would be C++ Nix, but it could in principle also be the Nixpkgs/NixOS code base or our contribution workflows.

What do you think? I also posted this on Nix Hackers since getting developer time is something we wanted for many months now, and Security Discussions since it's about security.

hi folks -- i have a small concern about conflicts of interest throughout the recently appointed assembly.

while i sincerely appreciate all the work that the board & co have put into the selection process, i'm a bit concerned about infinisil's spot on the assembly, given that he has basically the same level of access as a board observer (while actual board observers were barred from applying to the assembly), and helped design the assembly application process in the first place.

hi folks -- i have a small concern about conflicts of interest throughout the recently appointed assembly.

while i sincerely appreciate all the work that the board & co have put into the selection process, i'm a bit concerned about infinisil's spot on the assembly, given that he has basically the same level of access as a board observer (while actual board observers were barred from applying to the assembly), and helped design the assembly application process in the first place.

what makes him different from the board observers in this case, if i may ask?

In reply to @twitchy0:matrix.org
Are there additional steps I need to take for this reimbursement request?
https://github.com/NixOS/foundation/issues/152

Follow the instructions on "How do I get reimbursed"

https://nixos.org/community/event-funding/