Since I published Carrot disclosure: Forgejo two days ago, numerous things happened:
- Friends of mine were reached out to, to "talk to me from a place of trust", or simply to convey to them in great details what an horrible person I am, which they found hilarious.
- The toot linking to the blogpost was removed from infosec.exchange by an overzealous moderator after it had been reported multiple times by multiple people. I thus moved to mastodon.social, where it was also removed with "Irresponsible disclosure" given as a reason. So I moved back to infosec.exchange, where the toot was restored. In the meantime, friends handed me invitations for various mastodon instances, which I'm grateful for.
- Numerous instances of the eternal vulnerabilities disclosure debate spawned.
- Some exploit-writer friends of mine complained that I brought unwanted attention to an easy target.
- The Netherlands deployed a sovereign software forge in the form of a public forgejo instance.
- Everyone had an opinion on mastodon on this, mostly on what I should do with the vulnerabilities I found, and was really vocal about it, especially people who aren't related to computer security. It seems that we're still in the "fixing bugs will make us more secure" era, which is a bit sad. I also, of course, got called a handful vile names.
- The terms "not professional" (as in "not acceptable in a professional environment") has been thrown around a lot, but nothing here is or was being done in a professional context.
- Forgejo's security policy was copiously made fun of.
- I got a tone deaf email from Forgero's moderation team, to my arguably tone-deaf blog post, which I think is funny.
- I've learnt that the role of Forgejo security team is to "take care of security vulnerabilities and to handle sensitive security-related issues reported to security@forgejo.org using encryption." Doing anything proactive isn't in their attributions.
- Various entities, including some with security teams, revised their judgment about what Forgejo is and isn't, which was the main goal of the previous blogpost.
Nonetheless, some productive good faith conversations have been had as well, and it seems that experimenting with odd vulnerability disclosure schemes is frowned upon. So I ended up sending an email to Forgejo security team, containing: an apology, a bit about my reasoning for proceeding with carrot disclosure, recommendations about what to harden/review, and a bunch of commented exploits/proof-of-concepts as attachment. We'll see how it goes.
On a more personal note, I found the amount of flak and hate completely wild, and I think I would have got way less had I simply decided to go with full disclosure. Heck, even a "found cool bugs in Forgejo, sold them for peanuts lol" would probably have been better received. But as a friend explained to me: "everyone loves the puppy, but also knows how weak it currently is, and you kicked the puppy, yelling about how weak the fucker is.", which is an apt metaphor I guess.
And now, some out of context anonymous quotes on the topic, from friends and foes, taken from HackerNews, lobste.rs, LWN, Mastodon, Bluesky, and various IRC channels, ordered by length, for no other particular reasons than to add some colouring (and let's be honest, a bit of much needed comic relief) to this whole event:
epic
grim
nice flex
QUIT TROLLIN
insufferable
how much for the RCE?
that's total fucking bs
OP is absolutely a dick
nice finds on forgejo!!!
the fuck is wrong with you?
wow, what an awful behavior
lmao jvoisin I'm loving this.
why, just put in the pull request
It's one way to not make friends ^_^
they need some reflection rather than rage
Exciting, curious if codeberg is affected ✨️
i believe this is what they call -- "a dick move"
The biggest asshole "disclosure" I've seen in a while.
They will call you an asshole, but can't do anything about it.
I honesty want a refund on the 10 minutes I wasted reading this.
maybe try properly disclosing the vulns instead. food for thought
i really cannot understand what possibly possessed you to do this
If you are in infosec, that's a great guide on how not to do disclosure.
The author's attitude is so off-putting. What gives? Did Forgejo hurt you?
Doing things like this, especially against a volunteer-run project is a dick move.
At least tell them what you found and see if they fix it before choosing the asshole action.
alright, took 6h to get a working RCE on forgejo, solid software, 10/10 would recommend deploying
As soon as i see that security policy i tune out. It's like one of those in game EULA no one reads
putting end users and admins at risk by publishing clues about zero days just to show off is disgusting
Their motivation isn't making one tool better, but keeping users safe. We need those people and the work they do badly!
Appreciate that you looked into forgejo security. I can also see why you're writing style did "activate" a lot of people tho :)
My personal thought is that I appreciate, as a defender, knowing this information about a project having a systematic lack of security.
That's an incredibly condescending way to talk about someone else's work, and a horrible attempt to force volunteers to follow your priorities.
I'm not really familiar with forgejo other than knowing vaguely about its history. I'm a little surprised it's so bad given its adoption though
trying to coerce people to fix bugs you don't feel are worth reporting properly by posting publicly is a dick move, whether the devs are paid or volunteers, imo
I really like the idea of forgejo, but as someone following the development channel, it really feels like FOSS hobbyist and not that much engineers maintaining a huge forge.
Outside of the diff not loading, because codeborg slow af, they want you to write a freaking js test for that? Like I understand how technically test that, but which value does it add?
this is an interesting disclosure strat, but I'm not sure i think its the best one to apply to foss. might be better used to pressure all the ivantis of the world to stop getting everyone owned.
i will point my coworkers at your research, it's a dutch entity. They might get the forgejo ppl going. Honestly the "did you write a test?" response on the xss hardening issues was a bit monty python level
Yo this person attitude is insane. I didn't saw the comment about mail those patches instead of opening PR They're fucking crazy. I opened one of your PR to see if there was new comments, I think it crashed codeberg.
Seems like grandstanding bad faith to me. They didn't even bother to follow the established disclosure policy for this project because the author feels this quality of the code is so crap, so instead does this...
It would definitely be a bit silly for the author to make a fake carrot disclosure, but I thought of it just because of how reading this article made me feel distrust toward the author. IDK, they just seem like kind of a jerk!
I think the person who did this did it only to have their moment of fame, and it apparently worked. I would personally have omitted their name from the description above to avoid further promoting such bad behaviors.
Getting HTML building right is a pretty basic building block of web apps, Forgejo can't have great security practices if they aren't doing that. So I can easily imagine the OP is correct in their assessment of Forgejo code security.
This is not okay. Trolling a FOSS project showing off a zero day instead of sending PRs or a proper security report... and the only justification given is that they didn't like a PR removing a feature, and haven't yet merged another PR opened yesterday??
that's bad. We are trying to build stuff together, as a community. What you're doing is basically kicking down the stuff other people have built. I'll be discussing that behaviour when we are considering our next donation to @nos_oignons.
I have security experience and hearing that there is these issues makes me want to contribute to forgejo, but I'm also discouraged from doing that, because of how much of an asshole you're being here. I don't want to give you what you want.
< snark >but I mean the alternative would've been to spend time reporting and maybe the developers wouldn't take you as seriously as you think you should be taken and that might hurt your feelings or require emotional labor to convince someone to look more broadly</ snark >
they seem to have a hard time deciding if they are a serious project or just a toy one that possibly couldn't be scrutinized because it's just a bunch of volunteers. Schrodinger's seriousness, very profession or very helpless depending on whatever's more convenient at the moment.
This seems like a pretty dick move without even attempting to engage with Forgejo first. A combination of assumptions based on no evidence and "I don't feel like it" is not a good look. They aren't a large company with money to burn, they depend on people being willing to pitch in or at least provide details before going nuclear.
You may ASK unpaid security research volunteers to participate in some coordinated disclosure, but you can't demand they surrender their free time beyond the report. The maintainers are NLnet funded, the security researcher is operating on goodwill. The bugs are still sitting unaddressed in the open, although there's a recent commit fixing token expiry.
The Forgejo disclosure process looked pretty simple and straightforward to me. The bold and all-caps words that bothered the author are just making sure you know how to disclose vulnerabilities safely without leaking zero-day exploits to a wider audience than necessary. I'm also not impressed with a carrot disclosure that looks like this. Running a python script to compromise a locally hosted instance? Bruh, you have physical hardware and host shell access. That python script could be doing anything including running as root.
what you've done here was below any reasonable standard of professional conduct, and also very strange to me. I'm an accessibility nerd and have recently begun digging into Forgejo's accessibility bugs. They do have a few, which to me was like "oh cool, it will probably be fun to work with them on these". Makes no sense to me as a specialist in solving a particular type of problem to build a brand as someone this publicly hostile to those you deem as having too much of that problem.