Neighbourhoodie and the Sovereign Tech Fund posted Thursday, June 6, 2024 by The Neighbourhoodie Team

We have exciting news to share: Neighbourhoodie is an official Implementation Partner of the Sovereign Tech Fund’s Bug Resilience Programme.

Hold up, what does all that mean? Let’s back up a little:

In 2021, a security issue (or vulnerability) was made public in the Log4j library. This is business as usual in the software world, security vulnerabilities are found every day, they are being reported, issues are fixed, new releases come out and then everyone can update.

That time, things went a little different: the vulnerability was disclosed without anyone having a chance to fix it, let alone update their systems to the latest version.

In addition, this vulnerability affected anyone running Log4j in a way that anyone anywhere can run unverified code on a target system. This is 10 out of 10 bad.

Two more compounding factors made this issue even worse:

1. It turns out, Log4j is used everywhere. Not a day goes by where anyone doing any digital work is not using a system that uses Log4j. Small companies, big companies, governments, everyone is using Log4j.
2. Log4j was maintained by a very small team that was working part time and unpaid.

One of many government agencies, the German Bundesamt für Sicherheit in der Informationstechnik (Federal agency for IT security) classified this as an “extremely critical threat situation”.

In response to this, the German government founded the Sovereign Tech Fund to run programmes that help avoid issues like this in the future.

One of these programmes is the Bug Resilience Programme:

The Bug Resilience Program proactively increases the resilience of open source software infrastructure and empower small and medium-sized open source projects. The goal is to lower their risk of harboring bugs and improve their capacity to respond to bugs as they are discovered. The program provides services to OSS projects, such as helping projects deal with technical debt, working on known security issues, performing code security audits to reduce high-risk vulnerabilities, as well as offering a bug & fix bounty platform to discover, responsibly report, and fix bugs.

So far so good, but where does Neighbourhoodie come into the picture?

How it works

As mentioned above, we are an Implementation Partner. That means we work directly with Open Source projects and help them be more resilient in the face of security issues. We are collaborating with projects in the open and help them address their highest need issues. These vary widely from directly working on the code to improving processes, to internal documentation that helps onboard more folks, and sometimes it means taking on a bunch of chores to free up the core maintainers to focus on high-value work.

Here’s an (abbreviated for clarity) outline of the kind of work we are doing with the projects:

1. Analysis
   1. Organisational Preparation
   2. Technical Preparation
      1. Review software dependencies
      2. Review project: Code & Tests, including CI
2. Improvement
   1. Testing
      1. Add test coverage
      2. Introduce or expand automated testing
      3. Increase testing matrix
   2. Release Engineering
      1. Stable versioning
      2. Automate releases
      3. Audit access control for release automation
   3. Software Development
      1. Help fix high-impact issues
      2. Help review outstanding contributions
      3. Improve documentation for first time contributors
      4. Improve contribution guidelines more generally
      5. Improve developer experience
      6. Help recruit more contributors

While all this is very abstract, we’ll share some of the concrete work we have done with actual projects in later blog posts.

Neighbourhoodie are honoured to already be working with projects as diverse and essential as:

• Prefix.dev
• SystemD
• SequoiaPGP (OpenPGP in Rust)
• OpenPGP.js (OpenPGP in JavaScript)
• Yocto
• …and many more that we can’t share just yet

Stay tuned for our detailed reports on what we have done for each project.

How can you join?

The Sovereign Tech Fund’s Bug Resilience Program is open for your applications.

We can also help you directly

Many companies and products have crucial dependencies on small and potentially understaffed and underfunded Open Source projects. We can help identify and improve the ones that are important to your business. Our friendly sales team is happy to help. Book a call with us today!