Follow-up to Carrot disclosure: Forgejo
4 hours ago
- #Forgejo
- #Vulnerability Disclosure
- #Community Reaction
- The author published a disclosure about Forgejo, leading to personal attacks and efforts to discredit them.
- Posts linking to the blogpost were removed from multiple Mastodon instances due to reports, but later restored.
- The disclosure sparked debates on vulnerability disclosure practices and attracted criticism from exploit writers.
- A sovereign software forge was launched in the Netherlands via a public Forgejo instance.
- Strong opinions and insults were directed at the author regarding handling of found vulnerabilities.
- Forgejo's security policy was widely mocked, and the security team's role was clarified as reactive, not proactive.
- Good faith conversations occurred, and the author apologized to Forgejo's security team, sharing exploits and recommendations.
- Various entities reassessed their views on Forgejo's security, achieving the author's primary goal.