Follow-up to Carrot disclosure: Forgejo
Thu 30 April 2026 — download

Since I published Carrot disclosure: Forgejo two days ago, numerous things happened:

  • Friends of mine were reached out to, to "talk to me from a place of trust", or simply to tell them what an horrible person I am, which they found hilarious.
  • The toot linking to the blogpost was removed from infosec.exchange by an overzealous moderator after it had been reported multiple times by multiple people. I thus moved to mastodon.social, where it was also removed with "Irresponsible disclosure" given as a reason. So I moved back to infosec.exchange, where the toot was restored. In the meantime, friends handed me invitations for various mastodon instances, which I'm grateful for.
  • Numerous instances of the eternal vulnerabilities disclosure debate spawned.
  • Some exploit-writer friends of mine complained that I brought unwanted attention to an easy target.
  • The Netherlands deployed a sovereign software forge in the form of a public forgejo instance.
  • Everyone had an opinion on mastodon on this, especially on what I should do with the vulnerabilities I found, and was really vocal about it. I also got called a handful vile names.
  • Forgejo's security policy was copiously made fun of.
  • I got a tone deaf email from Forgero's moderation team, to my arguably tone-deaf blog post, which I think is funny.
  • I've learnt that the role of Forgejo security team is to "take care of security vulnerabilities and to handle sensitive security-related issues reported to security@forgejo.org using encryption." Doing anything proactive isn't in their attributions.
  • Various entities, including some with security teams, revised their judgment about what Forgejo is and isn't, which was the main goal of the previous blogpost.

Nonetheless, some productive good faith conversations have been had as well, and it seems that experimenting with odd vulnerability disclosure schemes is frowned upon. So I ended up sending and email to Forgejo security team, containing: an apology, a bit about my reasoning for proceeding with carrot disclosure, recommendations about what to harden/review, and a bunch of commented exploits/proof-of-concepts as attachment. We'll see how it goes.