software

Follow-up to Carrot disclosure: Forgejo

Published: (April 30, 2026 at 03:22 PM EDT)
2 min read
Source: Hacker News

Source: Hacker News

Background

Since I published the Carrot disclosure for Forgejo two days ago, numerous things have happened.

Reactions

  • Friends were contacted and asked to “talk to me from a place of trust,” or simply to tell them what a horrible person I am, which they found hilarious.
  • The toot linking to the blog post was removed from infosec.exchange by an over‑zealous moderator after multiple reports. I moved it to mastodon.social, where it was also removed with “Irresponsible disclosure” given as a reason. I then returned to infosec.exchange, where the toot was restored. In the meantime, friends handed me invitations for various Mastodon instances, for which I’m grateful.
  • Numerous instances of the eternal vulnerabilities‑disclosure debate were spawned.
  • Some exploit‑writer friends complained that I brought unwanted attention to an easy target.
  • The Netherlands deployed a sovereign software forge in the form of a public Forgejo instance.

Public Discussion

Everyone had an opinion on Mastodon (see the linked toot) about what I should do with the vulnerabilities I found, and many were vocal about it. I also received a handful of vile names. Forgejo’s security policy was copiously made fun of.

Interaction with Forgejo

I received a tone‑deaf email from Forgejo’s moderation team in response to my arguably tone‑deaf blog post, which I found amusing.

I learned that the role of the Forgejo security team is to “take care of security vulnerabilities and to handle sensitive security‑related issues reported to security@forgejo.org using encryption.” Proactive measures are not within their remit.

Various entities, including some with security teams, revised their judgment about what Forgejo is and isn’t—this was the main goal of the previous blog post.

Productive Conversations & Next Steps

Despite the noise, some good‑faith, productive conversations have taken place, and it seems that experimenting with unconventional vulnerability‑disclosure schemes is frowned upon.

I have therefore sent an email to the Forgejo security team containing:

  • an apology,
  • a brief explanation of my reasoning for proceeding with the Carrot disclosure,
  • recommendations on what to harden/review, and
  • a set of commented exploits/proof‑of‑concepts as attachments.

We’ll see how it goes.

0 views
#software #programming #tech-trends
View source
Share:
Back to Blog

Related posts

Read more »

When Networking Doesn't Work

My Windows 11 → Tyan SMDC IPMI Troubleshooting Story _Last week I spent far too much time trying to get my Windows 11 machine to talk to an antique Tyan SMDC S...