Internet Society Foundation Common Good Cyber Fund 2026: Up to $300,000 in Two-Year Grants for Nonprofit Cybersecurity Organizations
The Internet Society Foundation’s Common Good Cyber Fund will disburse at least USD $3.5 million in multi-year operating grants to nonprofits that protect critical cybersecurity infrastructure and high-risk internet users, with applications open until 4 August 2026.
Internet Society Foundation Common Good Cyber Fund 2026: Up to $300,000 in Two-Year Grants for Nonprofit Cybersecurity Organizations
The Internet Society Foundation has opened a global call for its Common Good Cyber Fund, a new grant program built for a specific and often overlooked problem: much of the security infrastructure that keeps the internet safe is maintained by small nonprofits and volunteer-led projects that struggle to fund the work. This fund puts multi-year operating money behind those organizations. For the 2026 round it will disburse at least USD $3.5 million through roughly fifteen two-year grants, with individual awards typically ranging from $100,000 to $300,000. Applications are open from 23 June 2026 and close on 4 August 2026 at 21:00 UTC.
If you run or work for a nonprofit that keeps critical cybersecurity systems running, defends civil society against digital attacks, or helps vulnerable users stay safe online, this guide explains what the fund pays for, who qualifies, how the application works, and how to build a competitive case before the deadline.
At-a-glance
| Item | Detail |
|---|---|
| Program | Common Good Cyber Fund |
| Funder | Internet Society Foundation |
| Total 2026 pool | At least USD $3.5 million |
| Estimated number of grants | Around 15 |
| Grant size | Typically $100,000–$300,000 per organization |
| Grant term | Two years (multi-year operating grants) |
| Application window | 23 June 2026 – 4 August 2026, 21:00 UTC |
| Registration cutoff | Register in Fluxx at least 24 hours before the deadline |
| Eligibility | Nonprofit organizations (U.S. 501(c)(3) or international equivalent) working in cybersecurity |
| Geographic scope | Global |
| Application languages | English, French, or Spanish |
| Platform | Internet Society Foundation Fluxx grants system |
| Official page | https://www.isocfoundation.org/grant-programme/common-good-cyber-fund/ |
Because dates, dollar figures, and requirements can be updated, treat the official Common Good Cyber Fund page as the source of truth before you submit.
What the fund is trying to solve
The security tools and services that the wider internet depends on are frequently maintained as public goods. Open-source security libraries, threat-intelligence sharing groups, incident-response teams for civil society, and DNS and routing security projects rarely have a commercial revenue model. They are often held together by a handful of underpaid staff or unpaid volunteers, and their funding tends to be short-term and project-based rather than stable.
The Common Good Cyber Fund is designed to counter that pattern by providing operating support rather than narrow project grants. Operating money is unusually valuable for this kind of organization because it can cover salaries, core infrastructure, and the ongoing maintenance work that project grants routinely exclude. The two-year term matters too: it gives grantees a longer planning horizon than a single annual cycle allows.
The fund grew out of the broader “Common Good Cyber” initiative, a cross-sector effort to find sustainable ways to finance the nonprofit organizations that protect the shared infrastructure of the internet. The Internet Society Foundation administers this grant program and manages the review and disbursement.
What the grant offers
The headline terms for the 2026 round are straightforward:
- Total pool: at least USD $3.5 million for this round.
- Grant size: typically between $100,000 and $300,000 per organization, with $300,000 as the maximum over the full grant period.
- Term: two years.
- Type: multi-year operating grants, not restricted project funding.
Operating grants can generally be applied to staff time, core services, essential tooling and infrastructure, and the organizational capacity needed to sustain security work. That flexibility is the point. Many funders will pay for a shiny new feature but not for the unglamorous work of keeping an existing critical service patched, monitored, and staffed. This fund is explicitly aimed at that maintenance and continuity gap.
The three focus areas
The fund concentrates on organizations whose work falls into three broad categories. Your application should make clear which of these best describes your organization, and it is fine to sit across more than one.
Maintaining critical cybersecurity infrastructure. This includes the systems that underpin trust and safety across the internet, such as DNS security, threat detection and analysis, and shared response services that many other actors rely on.
Delivering scalable support to protect users from digital harm. This covers incident response, device and account security help, and rapid assistance for civil society organizations, journalists, human-rights defenders, and others who are targeted online. The emphasis is on services that can reach many at-risk users rather than one-off interventions.
Protecting vulnerable and high-risk groups. This includes policy work, coordinated vulnerability disclosure and reporting mechanisms, and the coordination structures that help defend communities against threats such as state-directed cyber activity and digital transnational repression.
Across all three, the connecting thread is the “common good”: the fund is looking for work that benefits the broader ecosystem and protects people who cannot easily pay for their own defense, not commercial security products.
Who is eligible
To apply, an organization generally needs to meet the following requirements:
- Nonprofit status. You must be a registered nonprofit — a U.S. 501(c)(3) or the recognized equivalent in your own country. This is a fund for mission-driven organizations, not for-profit vendors.
- Cybersecurity mission. Your organization must deliver cybersecurity infrastructure and/or services that protect high-risk communities and serve the common good, aligning with the fund’s purpose and the three focus areas above.
- Ability to receive funds. You must hold an official bank account in the organization’s own name that can receive funds from a foundation based in the United States. This is a practical requirement that trips up some international applicants, so confirm it early.
- Organizational capacity and governance. You must be able to demonstrate that your organization has the capacity, financial controls, and governance to manage a two-year grant responsibly.
The program is explicitly global. Nonprofits outside the United States are encouraged to apply, provided they meet the equivalent-nonprofit and banking requirements. Applications can be submitted in English, French, or Spanish.
How the application works
Applications are handled through the Internet Society Foundation’s grants management platform, Fluxx. The process has a few steps that are easy to underestimate under deadline pressure:
- Register in Fluxx. Create or access your organization’s account on the Foundation’s Fluxx portal. The Foundation requires organizations to be registered in Fluxx at least 24 hours before the application deadline, so do not leave account setup to the final day.
- Complete the application. Provide your organizational and project narrative describing how your work fits the fund’s focus areas and serves the common good, in English, French, or Spanish.
- Attach the required documentation. Expect to supply a budget, your tax identification number, governing documents, a list of current funders, recent tax returns (about two years), and audited financial statements (about two years). Gathering audited financials and governing documents can take time if they are not already on hand.
- Submit before the deadline. The application window closes on 4 August 2026 at 21:00 UTC. Late submissions are not considered.
After submission, applications go through screening and are evaluated by an independent Program Review Committee made up of cybersecurity experts and cross-sector professionals. Selected organizations then move through the Foundation’s due diligence and grant-agreement process before funds are disbursed.
Timeline and deadline
- 23 June 2026: Application window opens.
- Late July 2026: Initial screening of applications.
- At least 24 hours before 4 August: Deadline to be registered in Fluxx.
- 4 August 2026, 21:00 UTC: Application deadline. Convert this to your own time zone carefully — 21:00 UTC is late afternoon in the Americas and the middle of the night in parts of Asia and the Pacific, so plan your final submission accordingly.
Because review and due diligence follow the close of the window, expect a gap between submitting and any funding decision. Build that lead time into your organizational cash-flow planning rather than assuming a fast turnaround.
Required materials checklist
Prepare these before you open the application so you are not scrambling at the end:
- Organizational budget for the proposed grant period.
- Tax identification number and proof of nonprofit or equivalent status.
- Governing documents (bylaws, registration, or equivalent).
- A current list of your funders.
- Tax returns for approximately the last two years.
- Audited financial statements for approximately the last two years.
- A clear narrative describing your cybersecurity work, the communities you protect, and how you fit the fund’s focus areas.
- Confirmation that your bank account can receive funds from a U.S.-based foundation.
How to build a competitive application
Reviewers for a fund like this are trying to answer a few underlying questions. Speak to them directly.
Show that your work is genuinely common-good. Make the public benefit concrete. Explain who depends on your infrastructure or services, and what would break or go unprotected if your organization stopped operating. Reviewers are funding maintenance of shared systems and defense of at-risk people, so quantify reach where you can — number of organizations served, incidents handled, users protected, systems maintained.
Frame the ask as continuity, not a new project. This is an operating grant. Rather than pitching a new initiative that will only exist because of the grant, explain how two years of stable funding lets you keep critical work running, retain skilled staff, and reduce the fragility that comes from short-term project money.
Demonstrate that you can steward the money. Audited financials and governance documents are not box-ticking; they are how the Foundation gauges risk. A clean, coherent budget that ties directly to your described work signals that you can manage a multi-year grant.
Be specific about the high-risk communities you serve. If your work protects journalists, human-rights defenders, civil-society groups, or other targeted populations, name the threat model. Concrete detail about digital transnational repression, state-directed activity, or the vulnerabilities you address is more persuasive than general language about “keeping people safe.”
Common mistakes to avoid
- Missing the Fluxx registration cutoff. You must be registered at least 24 hours before the deadline. Treat account creation as a first-week task, not a last-day one.
- Misreading the deadline time zone. The cutoff is 21:00 UTC on 4 August 2026. Do not assume it is midnight in your local time.
- Applying as the wrong kind of entity. For-profit vendors and individuals do not fit. The fund is for registered nonprofits and their equivalents.
- Overlooking the banking requirement. International applicants sometimes cannot readily receive funds from a U.S.-based foundation. Verify this before investing time in the narrative.
- Pitching a narrow project instead of core work. The fund’s distinctive value is operating support. An application framed purely as a one-off deliverable misses the point.
- Leaving financial documents to the end. Assembling two years of audited financials and tax returns can take longer than writing the narrative.
Frequently asked questions
How much can we request? Grants typically range from $100,000 to $300,000 over the two-year term, with $300,000 as the maximum.
How many organizations will be funded? The round is expected to support roughly fifteen organizations from a pool of at least $3.5 million.
Can organizations outside the United States apply? Yes. The fund is global, but non-U.S. applicants must be recognized nonprofits (or the equivalent) and must be able to receive funds from a U.S.-based foundation.
What languages are accepted? Applications may be submitted in English, French, or Spanish.
Is this project funding or operating funding? It is multi-year operating support, which can cover core costs and ongoing maintenance rather than a single restricted project.
Where do we apply? Through the Internet Society Foundation’s Fluxx grants management platform, linked from the official program page.
Is it worth applying?
If your organization maintains security infrastructure or defends high-risk internet users and you have historically survived on short-term, restricted grants, this fund is a strong fit. Stable two-year operating money of up to $300,000 is rare in this space, and the fund is explicitly built for the maintenance and continuity work that other funders neglect. The main costs of applying are assembling your financial documentation and writing a clear narrative — real effort, but modest relative to the potential award. The biggest risks are administrative: missing the Fluxx registration window, misjudging the UTC deadline, or discovering late that your banking arrangements cannot accept the funds.
Official links and next steps
Start on the official Common Good Cyber Fund page at the Internet Society Foundation: https://www.isocfoundation.org/grant-programme/common-good-cyber-fund/. From there, confirm the current eligibility and deadline details, register your organization in the Fluxx grants platform well ahead of the cutoff, and begin gathering your governing documents, budget, tax returns, and audited financials. If any requirement is unclear, use the contact channel listed on the official page rather than relying on third-party summaries. Applications close on 4 August 2026 at 21:00 UTC.
