# Go-to-Market Feasibility Plan **Audience:** Internal planning (solo developer) **Status:** Active planning document **Last updated:** 2026-04-01 ## Overview Phased plan for building credibility and visibility for FieldWitness in the press freedom and digital security space. Constraints: solo developer, ~10-15 hrs/week, portfolio/learning project that should also produce real-world value. --- ## Current Strengths - Federation layer is genuinely novel: gossip-based attestation sync across orgs with offline-first design and append-only hash chains - Three-tier deployment model maps to how press freedom orgs actually work - C2PA export is well-timed as CAI gains momentum - Working codebase with tests, deployment configs, documentation ## Core Challenges - **Trust deficit:** "Some guy built a tool" is a warning sign in this space, not a selling point - **Chicken-and-egg:** Need audit for credibility, need credibility/money for audit, need adoption for money - **Limited bandwidth:** 10-15 hrs/week makes sequencing critical - **Stego perception risk:** Steganography angle can be a credibility liability if positioned as headline feature (perceived as "hacker toy") --- ## Phase 1: Foundation (Months 1-6) **Goal:** Make the project legible to the ecosystem. ### Technical credibility (60% of time) - Ship C2PA export as v0.3.0 headline feature (target: 8 weeks) - Write formal threat model document at `docs/security/threat-model.md` - Model after Signal protocol docs or Tor design doc - De-emphasize steganography in public surfaces -- lead with "offline-first provenance attestation with gossip federation" - Set up reproducible builds with pinned dependencies - Get CI/CD visibly working with test/lint/type-check/coverage badges ### Positioning and documentation (20% of time) - Write "Why FieldWitness Exists" document (~1500 words): the problem, why existing tools don't solve it, what FieldWitness does differently, who it's for, what it needs - Create 2-minute demo video: field attestation -> sneakernet sync -> federation -> verification ### Community engagement (20% of time) - Lurk on `liberationtech@lists.stanford.edu` -- do NOT announce tool cold; wait for relevant threads - GitHub engagement with adjacent projects (real contributions, not performative): - `guardian/proofmode-android` - `contentauth/c2pa-python` - `freedomofpress/securedrop` - Post Show HN when C2PA export ships --- ## Phase 2: Credibility Escalation (Months 7-12) **Goal:** Get external validation from at least one recognized entity. ### OTF (Open Technology Fund) -- https://www.opentech.fund/ **Internet Freedom Fund:** $50K-$900K over 12-36 months. Solo developers eligible. Rolling applications. **Red Team Lab:** FREE security audits commissioned through partner firms (Cure53, Trail of Bits, Radically Open Security). This is the single highest-leverage action. **Usability Lab:** Free UX review. **Application timeline:** 2-4 months from submission to decision. **Strategy:** Apply to Red Team Lab for audit FIRST (lower commitment for OTF, validates you as "OTF-vetted"). ### Compelling application elements 1. Lead with problem: "Provenance attestation tools assume persistent internet. For journalists in [specific scenario], this fails." 2. Lead with differentiator: "Gossip federation for cross-org attestation sync, offline-first, bridges to C2PA." 3. Be honest about status: "Working prototype at v0.3.0, needs audit and field testing." 4. Budget: stipend, audit (if Red Team Lab unavailable), 1-2 conferences, federation relay hosting. ### Backup audit and funding paths | Organization | URL | Notes | |---|---|---| | OSTIF | https://ostif.org/ | Funds audits for open-source projects; may be too early-stage | | Radically Open Security | https://www.radicallyopensecurity.com/ | Nonprofit, reduced rates for internet freedom projects; focused audit ~$15-30K | | NLnet Foundation | https://nlnet.nl/ | EUR 5-50K grants, lightweight process, solo devs welcome, includes audit funding | | Filecoin Foundation for Decentralized Web | https://fil.org/grants | Relevant to federation/provenance angle | ### Community building - Submit talk to **IFF 2027** (Internet Freedom Festival, Valencia, ~March) - Open sessions and tool showcases have low barriers - Talk title: "Federated Evidence Chains: Offline Provenance for Journalists in Hostile Environments" - Cold outreach to 3-5 specific people: - Access Now Digital Security Helpline trainers - Harlo Holmes (FPF Director of Digital Security) - Guardian Project developers (ProofMode team) - Position as complementary, not competitive - Lead with "I want honest feedback" - Conferences: - **RightsCon** -- https://www.rightscon.org/ - **IFF** -- https://internetfreedomfestival.org/ - **USENIX Security / PETS** -- academic venues, for federation protocol paper --- ## Phase 3: Traction or Pivot (Months 13-24) ### Green lights (keep going) - OTF Red Team Lab acceptance or any grant funding - A digital security trainer says "I could see using this" - A journalist or NGO runs it in any scenario - Another developer contributes a meaningful PR - Conference talk accepted ### Red lights (pivot positioning) - Zero response from outreach after 6+ months - Funders say problem is already solved - Security reviewers find fundamental design flaws ### If green (months 13-24) - Execute audit, publish results publicly (radical transparency) - Build pilot deployment guide - Apply for Internet Freedom Fund - Present at RightsCon 2027/2028 ### If red (months 13-24) - Reposition as reference implementation / research project - Write federation protocol as academic paper - Lean into portfolio angle --- ## Professional Portfolio Positioning ### Framing "I designed and implemented a gossip-based federation protocol for offline-first provenance attestation, targeting field deployment in resource-constrained environments. The system uses Ed25519 signing, Merkle trees with consistency proofs, append-only hash chains with CBOR serialization, and bridges to the C2PA industry standard." ### Skills demonstrated - Cryptographic protocol design - Distributed systems (gossip, consistency proofs) - Security engineering (threat modeling, audit prep, key management) - Systems architecture (three-tier, offline-first) - Domain expertise (press freedom, evidence integrity) - Grant writing (if pursued) ### Target roles - Security engineer (FPF, EFF, Access Now, Signal, Cloudflare) - Protocol engineer (decentralized systems) - Developer advocate (security companies) - Infrastructure engineer ### Key portfolio artifacts - Threat model document (shows security thinking) - Audit report, even with findings (shows maturity) - C2PA bridge (shows standards interop, not just NIH) --- ## Timeline (10-15 hrs/week) | Month | Focus | Deliverable | Time split | |-------|-------|-------------|------------| | 1-2 | C2PA export + threat model | v0.3.0, `threat-model.md` | 12 code, 3 docs | | 3-4 | Demo video + "Why FieldWitness" + CI | Video, doc, badges | 8 code, 4 docs, 3 outreach | | 5-6 | OTF Red Team Lab app + community | Application submitted, Show HN | 5 code, 5 grants, 5 outreach | | 7-9 | Community + backup grants | Outreach emails, NLnet/FFDW apps | 8 code, 3 grants, 4 outreach | | 10-12 | IFF submission + traction check | Talk submitted, go/no-go decision | 8 code, 2 grants, 5 outreach | | 13-18 | (If green) Audit + pilot guide | Published audit, pilot doc | 10 code, 5 docs | | 19-24 | (If green) Conference + IFF app | Talk, major grant application | 5 code, 5 grant, 5 outreach | --- ## What NOT to Bother With - Paid marketing, ads, PR - Product Hunt, startup directories, "launch" campaigns - Project website beyond clean README - Corporate partnerships - Whitepapers before audit - Mobile apps - Discord/Slack community (dead community is worse than none) - Press coverage (too early) - Competing with SecureDrop on source protection - General tech conference talks (domain-specific venues only)