fieldwitness/docs/planning/gtm-feasibility.md

Go-to-Market Feasibility Plan

Audience: Internal planning (solo developer) Status: Active planning document Last updated: 2026-04-01

Overview

Phased plan for building credibility and visibility for FieldWitness in the press freedom and digital security space. Constraints: solo developer, ~10-15 hrs/week, portfolio/learning project that should also produce real-world value.

---

Current Strengths

• Federation layer is genuinely novel: gossip-based attestation sync across orgs with offline-first design and append-only hash chains
• Three-tier deployment model maps to how press freedom orgs actually work
• C2PA export is well-timed as CAI gains momentum
• Working codebase with tests, deployment configs, documentation

Core Challenges

• Trust deficit: "Some guy built a tool" is a warning sign in this space, not a selling point
• Chicken-and-egg: Need audit for credibility, need credibility/money for audit, need adoption for money
• Limited bandwidth: 10-15 hrs/week makes sequencing critical
• Stego perception risk: Steganography angle can be a credibility liability if positioned as headline feature (perceived as "hacker toy")

---

Phase 1: Foundation (Months 1-6)

Goal: Make the project legible to the ecosystem.

Technical credibility (60% of time)

• Ship C2PA export as v0.3.0 headline feature (target: 8 weeks)
• Write formal threat model document at docs/security/threat-model.md
  • Model after Signal protocol docs or Tor design doc
• De-emphasize steganography in public surfaces -- lead with "offline-first provenance attestation with gossip federation"
• Set up reproducible builds with pinned dependencies
• Get CI/CD visibly working with test/lint/type-check/coverage badges

Positioning and documentation (20% of time)

• Write "Why FieldWitness Exists" document (~1500 words): the problem, why existing tools don't solve it, what FieldWitness does differently, who it's for, what it needs
• Create 2-minute demo video: field attestation -> sneakernet sync -> federation -> verification

Community engagement (20% of time)

• Lurk on liberationtech@lists.stanford.edu -- do NOT announce tool cold; wait for relevant threads
• GitHub engagement with adjacent projects (real contributions, not performative):
  • guardian/proofmode-android
  • contentauth/c2pa-python
  • freedomofpress/securedrop
• Post Show HN when C2PA export ships

---

Phase 2: Credibility Escalation (Months 7-12)

Goal: Get external validation from at least one recognized entity.

OTF (Open Technology Fund) -- https://www.opentech.fund/

Internet Freedom Fund: $50K-$900K over 12-36 months. Solo developers eligible. Rolling applications.

Red Team Lab: FREE security audits commissioned through partner firms (Cure53, Trail of Bits, Radically Open Security). This is the single highest-leverage action.

Usability Lab: Free UX review.

Application timeline: 2-4 months from submission to decision.

Strategy: Apply to Red Team Lab for audit FIRST (lower commitment for OTF, validates you as "OTF-vetted").

Compelling application elements

1. Lead with problem: "Provenance attestation tools assume persistent internet. For journalists in [specific scenario], this fails."
2. Lead with differentiator: "Gossip federation for cross-org attestation sync, offline-first, bridges to C2PA."
3. Be honest about status: "Working prototype at v0.3.0, needs audit and field testing."
4. Budget: stipend, audit (if Red Team Lab unavailable), 1-2 conferences, federation relay hosting.

Backup audit and funding paths

Organization	URL	Notes
OSTIF	https://ostif.org/	Funds audits for open-source projects; may be too early-stage
Radically Open Security	https://www.radicallyopensecurity.com/	Nonprofit, reduced rates for internet freedom projects; focused audit ~$15-30K
NLnet Foundation	https://nlnet.nl/	EUR 5-50K grants, lightweight process, solo devs welcome, includes audit funding
Filecoin Foundation for Decentralized Web	https://fil.org/grants	Relevant to federation/provenance angle

Community building

• Submit talk to IFF 2027 (Internet Freedom Festival, Valencia, ~March)
  • Open sessions and tool showcases have low barriers
  • Talk title: "Federated Evidence Chains: Offline Provenance for Journalists in Hostile Environments"
• Cold outreach to 3-5 specific people:
  • Access Now Digital Security Helpline trainers
  • Harlo Holmes (FPF Director of Digital Security)
  • Guardian Project developers (ProofMode team)
  • Position as complementary, not competitive
  • Lead with "I want honest feedback"
• Conferences:
  • RightsCon -- https://www.rightscon.org/
  • IFF -- https://internetfreedomfestival.org/
  • USENIX Security / PETS -- academic venues, for federation protocol paper

---

Phase 3: Traction or Pivot (Months 13-24)

Green lights (keep going)

• OTF Red Team Lab acceptance or any grant funding
• A digital security trainer says "I could see using this"
• A journalist or NGO runs it in any scenario
• Another developer contributes a meaningful PR
• Conference talk accepted

Red lights (pivot positioning)

• Zero response from outreach after 6+ months
• Funders say problem is already solved
• Security reviewers find fundamental design flaws

If green (months 13-24)

• Execute audit, publish results publicly (radical transparency)
• Build pilot deployment guide
• Apply for Internet Freedom Fund
• Present at RightsCon 2027/2028

If red (months 13-24)

• Reposition as reference implementation / research project
• Write federation protocol as academic paper
• Lean into portfolio angle

---

Professional Portfolio Positioning

Framing

"I designed and implemented a gossip-based federation protocol for offline-first provenance attestation, targeting field deployment in resource-constrained environments. The system uses Ed25519 signing, Merkle trees with consistency proofs, append-only hash chains with CBOR serialization, and bridges to the C2PA industry standard."

Skills demonstrated

• Cryptographic protocol design
• Distributed systems (gossip, consistency proofs)
• Security engineering (threat modeling, audit prep, key management)
• Systems architecture (three-tier, offline-first)
• Domain expertise (press freedom, evidence integrity)
• Grant writing (if pursued)

Target roles

• Security engineer (FPF, EFF, Access Now, Signal, Cloudflare)
• Protocol engineer (decentralized systems)
• Developer advocate (security companies)
• Infrastructure engineer

Key portfolio artifacts

• Threat model document (shows security thinking)
• Audit report, even with findings (shows maturity)
• C2PA bridge (shows standards interop, not just NIH)

---

Timeline (10-15 hrs/week)

Month	Focus	Deliverable	Time split
1-2	C2PA export + threat model	v0.3.0, threat-model.md	12 code, 3 docs
3-4	Demo video + "Why FieldWitness" + CI	Video, doc, badges	8 code, 4 docs, 3 outreach
5-6	OTF Red Team Lab app + community	Application submitted, Show HN	5 code, 5 grants, 5 outreach
7-9	Community + backup grants	Outreach emails, NLnet/FFDW apps	8 code, 3 grants, 4 outreach
10-12	IFF submission + traction check	Talk submitted, go/no-go decision	8 code, 2 grants, 5 outreach
13-18	(If green) Audit + pilot guide	Published audit, pilot doc	10 code, 5 docs
19-24	(If green) Conference + IFF app	Talk, major grant application	5 code, 5 grant, 5 outreach

---

What NOT to Bother With

• Paid marketing, ads, PR
• Product Hunt, startup directories, "launch" campaigns
• Project website beyond clean README
• Corporate partnerships
• Whitepapers before audit
• Mobile apps
• Discord/Slack community (dead community is worse than none)
• Press coverage (too early)
• Competing with SecureDrop on source protection
• General tech conference talks (domain-specific venues only)