The first draft is available here. I’ll publish the final version on the mCaptcha website as part of the monthly report and update the link on here 
Based on the Gotosocial and the federation in Gitea grant applications.
1 Like
Since you’re not a European resident, your grant application will be at a disavantage:
Given equal proposals, inhabitants of the EU and countries associated to Horizon Europe are given priority. However if the project is of exceptional quality and the proposer holds unique technical expertise proposals from outside of those geographic areas can be eligible as well — under the condition that there is a clear European dimension.
This is uncharted territory and I hope it will be granted 
I think mCaptcha ticks all the right boxes to apply to OTF for which you can find an example application (not accepted or denied yet so take it with a grain of salt) here.
1 Like
Dear Aravinth,
this mail serves to acknowledge receipt of your grant application "mCaptcha" (2022-08-113). The project will be carefully reviewed for eligibility in two rounds following the criteria set out here:
https://nlnet.nl/entrust/eligibility
We expect the first round to take about five weeks, but given natural variation in the amount of projects and their complexity it may take longer or shorter. When the first round of review is done, we will inform you whether or not your project will be selected to enter the second round of the August 2022 call. Meanwhile, keep up the good work - and why not check out some of the wonderful projects already funded by NLnet Foundation:
https://nlnet.nl/project/current.html
Or have a look at how you can help out with reducing the impact of software patents on the FOSS ecosystem:
https://nlnet.nl/help
Kind regards,
on behalf of NLnet foundation,
Michiel Leenaars
Strategy Director
1 Like
mCaptcha has been selected for the second round 
:
Dear Aravinth,
it is my pleasure to inform you that your project "mCaptcha" (2022-08-142) has been selected to enter the second round of the August 2022 call. While the first round is solely based on your proposal, this strict selection round is potentially interactive. As your project is looked into in more depth, the reviewers may need some additional information to properly assess your application, in which case they will contact you.
Note that proposals are reviewed with regards to urgency, relevance and value for money. Unfortunately we will not be able to fund all projects proposed, as much as we would like that. For the next three weeks we will be therefore be thoroughly evaluating the remaining proposals for the second round, during which we may ask you to supply additional details. After that we will inform you on the outcome of this second (and final) selection round.
If you meanwhile have any questions, please let us know.
Kind regards,
on behalf of NLnet foundation,
[redacted]
edit: The guide for applicants mentions the European dimension in the first round only. And since we are qualified for the second round, I think it is safe to assume that NLnet has overlooked the European dimension with respect to mCaptcha 
1 Like
Questions from NLnet:
Dear Aravinth,
you applied to the 2022-08 open call from NLnet. We have some questions regarding your project proposal mCaptcha.
You requested 28500 euro, equivalent to one year of fulltime work. Could you provide a breakdown of the main tasks, and the associated effort?
Would the Codeberg team be willing to join this project?
What are your thoughts on PrivacyPass?
Thank you very much for your timely reply.
Kind regards,
on behalf of NLnet foundation,
<redacted>
1 Like
I had some doubts regarding one of the questions NLnet asked, so I sent this email:
Dear <redacted>,
Can you please elaborate on what you meant by:
> Would the Codeberg team be willing to join this project?
So far, I've implemented features in mCaptcha that Codeberg has requested: they requested mariadb support and a couple of accessibility improvements. But outside such a client-developer relationship, I'm not sure what Codeberg's involvement could look like.
So if you could give me some idea as to how our relationship could evolve, I am willing to work with Codeberg to make that happen.
Thanks!
Warm regards,
Aravinth
1 Like
I received a response to my questions:
Hi Aravinth,
>>Would the Codeberg team be willing to join this project?
>So if you could give me some idea as to how our relationship could evolve, I am willing to work with Codeberg to make that happen.
for us it would be good to have a European partner in the project next to yourself. We could add a small amount for this on top of the requested budget.
For instance to assist in adding mCaptcha to upstream Gitea, so it becomes available for everyone as an option.
Best,
<redacted>
1 Like
@Gusted is an active member of both Gitea and Codeberg. Since he has been involved in mCpatcha and is also located in the EU (I think), he could be that partner if he was willing. The partner does not need to be an organization, it can be an invividual (I think).
1 Like
That could work, thanks! 
@Gusted: you already created and maintain the Go library for mCaptcha, and you are leading the Codeberg deployment. If you are interested, I could add your contributions and your future plans in Codeberg for mCaptcha.
The application draft is available here. If you are interested, please feel free to add changes here(section titled “Explain what the requested budget will be used for”) and include your plans, rates and any additional funds that you’ll require.
As always, please feel free to contact me if you require help 
@Gusted is an active member of both Gitea and Codeberg
Just to make sure there’s no misunderstanding (also for future readers?). I’m an volunteer for Codeberg and not a member of the Codeberg e.V.
2 Likes
My response to the email above:
Hello <redacted>,
Apologies for the delayed response.
I invited @gusted[0], a Codeberg volunteer who is leading the mCaptcha deployment in Codeberg[1], to participate in the grant and he kindly accepted. He implemented mCaptcha support in Gitea[2] through a Go client library that he developed[3].
I will respond to the other questions asked by Friday.
Once again, I apologies for the delay. I got caught up with some things offline.
Warm regards,
Aravinth
---
[0]: https://gusted.xyz
[1]: https://codeberg.org/Codeberg/Community/issues/479#issuecomment-600240
[2]: https://github.com/go-gitea/gitea/pull/20458
[3]: https://codeberg.org/Gusted/mCaptcha
I’ll post a draft to the other questions in a moment
Response from NLnet to the above email:
Hi Aravinth,
> I invited @gusted[0], a Codeberg volunteer who is leading the mCaptcha deployment in Codeberg[1], to participate in the grant and he kindly accepted. He implemented mCaptcha support in Gitea[2] through a Go client library that he developed[3].
that is excellent. Have you discussed an amount for that contribution and an associated rate (we'll have to do that soon anyway should the project be accepted)?
> Once again, I apologies for the delay. I got caught up with some things offline.
These things happen, hopefully things are good now 😉
Best,
<redacted>
My response to the above email:
Hi <redacted>,
Thanks for the swift response! 😄
> that is excellent. Have you discussed an amount for that contribution and an associated rate (we'll have to do that soon anyway should the project be accepted)?
I'm drafting a response to the questions asked earlier, I'll work with Gusted and include a list of tasks that he's willing to work on and his rates.
> These things happen, hopefully things are good now 😉
Thanks for understanding, and yes things are much better now :D
Warm regards,
Aravinth
My response to the questions asked:
What are your thoughts on PrivacyPass?
The benefits of implementing PrivacyPass within mCaptcha are marginal. PrivacyPass is designed to improve the experience of visitors using VPNs and Tor. So it assumes that Tor/VPN visitors have bad experiences with CAPTCHAs, which isn’t true for mCaptcha.
Also, PrivacyPass is disabled when an attack/surge is detected. mCaptcha detects surges in seconds and increases the difficulty factor to contain the surge. So if PrivacyPass is implemented, then it will only be used in normal conditions, when the CAPTCHA takes less than 200ms to solve. Using PrivacyPass in this situation doesn’t yield significant UX improvements for the increase in code complexity.
Would the Codeberg team be willing to join this project?
As mentioned in the previous email, I invited @gusted to participate in the grant, and he kindly agreed.
Gusted’s objectives:
TODO: @gusted, please add the list of tasks that you are interested in working on. Also, kindly mention your rates against the tasks.
You requested 28500 euro, equivalent to one year of fulltime work. Could you provide a breakdown of the main tasks, and the associated effort?
Tasks
The grant application includes a full list of tasks, which is also available here.
Objective 1: Proof-of-Work accessibility:
Difficulty rating: intermediate
mCaptcha currently has two Proof-of-Work libraries: WebAssembly and JavaScript polyfill. The survey must collect benchmarks using both, since a visitor might end up using either libraries. Percentile scores must be calculated on the results aggregated, so that the webmasters who integrate mCaptcha in their websites can make informed decision on difficulty factors that will work for most of their visitors. The results must also be published under open-access licenses.
The benchmark code partially exists but processing, and publishing mechanisms don’t exist yet.
Objective 2: Horizontal scaling
Difficulty rating: hard
mCaptcha uses a leaky bucket algorithm for response Proof-of-Work difficulty scaling. The implementation that currently exists within mCaptcha isn’t distributed and so is a bottleneck for deployment with popular websites.
So I must implement a distributed version of the same algorithm. The new implementation must also be verified for correctness. To verify, I’ll have to create Infrastructure-as-Code for automated deployment in test environment.
Both distributed leaky bucket algorithm and full system Infrastructure-as-Code are time-consuming, so this objective is rated “hard”.
Objective 3: Integration test
Difficulty rating: hard
mCaptcha, at the moment, is maintained solely by me. Full system integration tests covering all configuration matrices will significantly improve quality, stability and ease maintenance.
Currently, extensive unit testing exist within individual programs and libraries, but full system integration tests don’t exist. In order to set this up, I’ll have to deploy a test runner (requested part of this application), write Infrastructure-as-Code to set up test env and periodically run tests.
It is an involved and time-consuming process and so it is rated “hard”.
I will be working on making libraries(in Go, Rust, Javascript etc.) to interact with mCaptcha’s API. The building of the library includes: designing a general structure(used across programming languages), documentation of the library, implement tests and obviously the code itself.
I will be working on Codeberg to deploy a mCaptcha instance and used in combination with codeberg.org’s Gitea instance. So as a task(if needed, not sure if this will actually be fulfilled), I can help with other server admins to setup an mCaptcha instance.
Given the experience by setting up mCaptcha in a real-world scenario, I will be able to improve the documentation and process of setting up and maintaining a mCaptcha instance.
Feel free to word this into the grant, so it’s consistent language and tone.
2 Likes
For the tasks that I will be working on, I will be requesting a €20/h rate. Which was determined by the difficulty factor for these task. @realaravinth Are you fine with this?
2 Likes
Perfect!
1 Like
Receneivrd response from NLnet:
Dear Aravinth and Gusted,
you applied to the first NGI0 Entrust open call from NLnet, round August 2022. We have kept you in suspense for a while, because this call was the single largest in our history in terms of proposals that needed to be processed. This is done, however, and currently a selection of the projects is pending the final stage review by an independent review committee to validate their eligibility, and we are happy to inform you that this includes your project "mCaptcha" (2022-08-142). Should your project pass that final hurdle (which under normal circumstances it should, but please do not seek external publicity until it is officially confirmed), the selection will be made public and we will contact you in order to establish a Memorandum of Understanding. The final amount of the grant will be determined at that point.
We will then also need to share some information about the project both with the general audience and with the European Commission. In the interest of time, we ask you to prepare a **one paragraph management summary** of the project. For examples we refer you to https://nlnet.nl/thema/NGIZeroPET.html
We kindly request you to send us this summary as soon as possible.
If you meanwhile have any questions, please let us know.
Kind regards,
on behalf of NLnet foundation,
cc @gusted
1 Like
My response:
Hello <redacted>,
Thanks for the good news. Here's the management summary that you asked:
----------
Existing CAPTCHA systems expect visitors to identify objects to prevent spam, which makes the web inaccessible to persons with cognitive, auditory, and visual special needs. They log Internet Protocol (IP) addresses and use tracking technologies, like cookies, to track and profile their users across the internet. IP logging and cookie-based tracking are privacy-invasive, inaccurate, and impossible to use with anonymizing technologies like Tor and VPNs. Censors can abuse the opaque nature of these systems to prevent certain groups from accessing certain types of information. Independent testing for bias is not possible since the documentation doesn't exist for their methods and algorithms.
mCaptcha is an attempt at creating a self-hosted alternative to reCAPTCHA and hCaptcha with a focus on privacy, transparency, user experience, and accessibility. mCaptcha’s Proof of Work (PoW) mechanism uses strong cryptographic principles that guarantee idempotency and transparency. mCaptcha doesn’t log IP addresses and doesn’t require tracking user activity across the internet. Censors can’t use mCaptcha to deny access to information without detection. Also, the PoW mechanism requires minimal user interaction to solve the CAPTCHA, which will significantly improve the accessibility of the web.
----------
Warm regards,
Aravinth
Response from NLnet:
Hi Aravinth and Gusted,
> Thanks for the good news. Here's the management summary that you asked:
thank you very much for the summary, much appreciated!
We will keep you posted on the outcome of the external review committee.
Meanwhile, take care!
Best,
<redacted>
2 Likes