Title: Follow-up to Carrot disclosure: Forgejo
Date: 2026-04-30 17:15

Since I published [Carrot disclosure:
Forgejo]({filename}/security/forgejo_rce.md) two days ago, numerous things
happened:

- Friends of mine were reached out to, to "talk to me from a place of trust",
  or simply to convey to them in great details what an horrible person I am,
  which they found hilarious.
- The [toot](https://infosec.exchange/@jvoisin/116488420408417722) linking to
  the blogpost was removed from infosec.exchange by an overzealous moderator
  after it had been reported multiple times by multiple people. I thus moved to
  mastodon.social, where it was also removed with "Irresponsible disclosure"
  given as a reason. So I moved back to infosec.exchange, where the toot was
  restored. In the meantime, friends handed me invitations for various mastodon
  instances, which I'm grateful for.
- Numerous instances of the eternal vulnerabilities disclosure debate spawned.
- Some exploit-writer friends of mine complained that I brought unwanted
  attention to an easy target.
- The Netherlands deployed a *sovereign software forge* in the form of a
  [public forgejo instance](https://code.overheid.nl/).
- Everyone had an opinion on
  [mastodon](https://infosec.exchange/@jvoisin/116488420408417722) on this,
  mostly on what I should do with the vulnerabilities I found, and was really
  vocal about it, especially people who aren't related to computer security. It
  seems that we're still in the "fixing bugs will make us more secure" era,
  which is a bit sad. I also, of course, got called a handful vile names.
- The terms "not professional" (as in "not acceptable in a professional
  environment") has been thrown around a lot, but nothing here is or was being
  done in a professional context.
- Forgejo's [security
  policy](https://codeberg.org/forgejo/governance/src/commit/5c07b3801537212ed6be1edfec298d7b004ce92d/SECURITY-POLICY.md)
  was copiously made fun of.
- I got a tone deaf email from Forgero's moderation team, to my arguably
  tone-deaf blog post, which I think is funny.
- I've learnt that the role of [Forgejo security
  team](https://forgejo.org/docs/next/contributor/discussions/#security) is to 
  "take care of security vulnerabilities and to handle sensitive
  security-related issues reported to security@forgejo.org using encryption."
  Doing anything proactive isn't in their attributions.
- Various entities, including some with security teams, revised their judgment
  about what Forgejo is and isn't, which was the main goal of the previous
  blogpost.

Nonetheless, some productive good faith conversations have been had as well,
and it seems that experimenting with odd vulnerability disclosure schemes is
frowned upon. So I ended up sending an email to Forgejo security team,
containing: an apology, a bit about my reasoning for proceeding with carrot
disclosure, recommendations about what to harden/review, and a bunch of
commented exploits/proof-of-concepts as attachment. We'll see how it goes.

On a more personal note, I found the amount of flak and hate completely wild,
and I think I would have got way less had I simply decided to go with full
disclosure. Heck, even a "found cool bugs in Forgejo, sold them for peanuts
lol" would probably have been better received. But as a
[friend](https://anarc.at/) explained to me: "everyone loves the puppy, but
also knows how weak it currently is, and you kicked the puppy, yelling about
how weak the fucker is.", which is an apt metaphor I guess.

And now, some out of context anonymous quotes on the topic, from friends and
foes, taken from [HackerNews](https://news.ycombinator.com/item?id=47941590),
[lobste.rs](https://lobste.rs/s/swbkcl/carrot_disclosure_forgejo),
[LWN](https://lwn.net/Articles/1071499/), Mastodon, Bluesky, and various IRC
channels, ordered by length, for no other particular reasons than to add some
colouring (and let's be honest, a bit of much needed comic relief) to this
whole event:

> epic

<!-- -->

> grim

<!-- -->

> yikes

<!-- -->

> nice flex

<!-- -->

> QUIT TROLLIN

<!-- -->

> insufferable

<!-- -->

> how much for the RCE?

<!-- -->

> that's total fucking bs

<!-- -->

> OP is absolutely a dick

<!-- -->

> nice finds on forgejo!!!

<!-- -->

> the fuck is wrong with you?

<!-- -->

> wow, what an awful behavior

<!-- -->

> lmao jvoisin I'm loving this.

<!-- -->

> why, just put in the pull request

<!-- -->

> It's one way to not make friends ^_^

<!-- -->

> they need some reflection rather than rage

<!-- -->

> Exciting, curious if codeberg is affected ✨️

<!-- -->

> i believe this is what they call -- "a dick move"

<!-- -->

> The biggest asshole "disclosure" I've seen in a while.

<!-- -->

> They will call you an asshole, but can't do anything about it.

<!-- -->

> I honesty want a refund on the 10 minutes I wasted reading this.

<!-- -->

> some noname lowlife decided to be a jerk about an RCE they found.

<!-- -->

> maybe try properly disclosing the vulns instead. food for thought

<!-- -->

> i really cannot understand what possibly possessed you to do this

<!-- -->

> If you are in infosec, that's a great guide on how _not_ to do disclosure.
<!-- -->

> The author's attitude is so off-putting. What gives? Did Forgejo hurt you?

<!-- -->

> having been on both sides of the equation i kind of want to punch this guy

<!-- -->

> Doing things like this, especially against a volunteer-run project is a dick
> move.

<!-- -->

> At least tell them what you found and see if they fix it before choosing the
> asshole action.

<!-- -->

> Yes that reviewer is kind of a dick but the submitter just escalated to
> nuclear dick.

<!-- -->

> alright, took 6h to get a working RCE on forgejo, solid software, 10/10 would
> recommend deploying

<!-- -->

> As soon as i see that security policy i tune out. It's like one of those in
> game EULA no one reads

<!-- -->

> they should reread your followup blogpost, I feel like they misunderstood "a bunch of"
> for "all my"

<!-- -->

> putting end users and admins at risk by publishing clues about zero days just
> to show off is disgusting
<!-- -->

> https://codeberg.org/forgejo/website/issues/839#issuecomment-14208296
bullshit, my preauth RCE still works :')

<!-- -->

> Their motivation isn't making one tool better, but keeping users safe. We
need those people and the work they do badly!

<!-- -->

> Appreciate that you looked into forgejo security. I can also see why you're
> writing style did "activate" a lot of people tho :)

<!-- -->

> My personal thought is that I appreciate, as a defender, knowing this
> information about a project having a systematic lack of security.


<!-- -->

> The policy is poorly worded. Most of those uppercase words should be
> "please". You don't get to require anything of security researchers.

<!-- -->

> That's an incredibly condescending way to talk about someone else's work, and
> a horrible attempt to force volunteers to follow your priorities.

<!-- -->

> I'm not really familiar with forgejo other than knowing vaguely about its
> history. I'm a little surprised it's so bad given its adoption though

<!-- -->

> trying to coerce people to fix bugs you don't feel are worth reporting
> properly by posting publicly is a dick move, whether the devs are paid or
> volunteers, imo

<!-- -->

> I really like the idea of forgejo, but as someone following the development
> channel, it really feels like FOSS hobbyist and not that much engineers
> maintaining a huge forge.

<!-- -->

> Outside of the diff not loading, because codeborg slow af, they want you to
> write a freaking js test for that? Like I understand how technically test that,
> but which value does it add?

<!-- -->


> Sadly there is no shortcut to "the whole thing stinks and I want to get
> people to stop using it". You might have thought you had one with the carrot
> approach but it also does not work.

<!-- -->

> this is an interesting disclosure strat, but I'm not sure i think its the
> best one to apply to foss. might be better used to pressure all the ivantis of
> the world to stop getting everyone owned.

<!-- -->

> i will point my coworkers at your research, it's a dutch entity. They might
> get the forgejo ppl going. Honestly the "did you write a test?" response on the
> xss hardening issues was a bit monty python level

<!-- -->

> Yo this person attitude is insane. I didn't saw the comment about mail those
> patches instead of opening PR They're fucking crazy. I opened one of your PR to
> see if there was new comments, I think it crashed codeberg.

<!-- -->

> Seems like grandstanding bad faith to me. They didn't even bother to follow
> the established disclosure policy for this project because the author feels
> this quality of the code is so crap, so instead does this...

<!-- -->

> It would definitely be a bit silly for the author to make a fake carrot
disclosure, but I thought of it just because of how reading this article made
me feel distrust toward the author. IDK, they just seem like kind of a jerk!

<!-- -->

> I think the person who did this did it only to have their moment of fame, and
> it apparently worked. I would personally have omitted their name from the
> description above to avoid further promoting such bad behaviors.

<!-- -->

> Getting HTML building right is a pretty basic building block of web apps,
Forgejo can't have great security practices if they aren't doing that. So I can
easily imagine the OP is correct in their assessment of Forgejo code security.

<!-- -->

> This is not okay. Trolling a FOSS project showing off a zero day instead of
> sending PRs or a proper security report... and the only justification given is
> that they didn't like a PR removing a feature, and haven't yet merged another
> PR opened yesterday??
<!-- -->

> that's bad. We are trying to build stuff together, as a community. What
> you're doing is basically kicking down the stuff other people have built. I'll
> be discussing that behaviour when we are considering our next donation to
> @nos_oignons.

<!-- -->

> I have security experience and hearing that there is these issues makes me
> want to contribute to forgejo, but I'm also discouraged from doing that,
> because of how much of an asshole you're being here. I don't want to give you
> what you want.

<!-- -->

> < snark >but I mean the alternative would've been to spend time reporting and
> maybe the developers wouldn't take you as seriously as you think you should be
> taken and that might hurt your feelings or require emotional labor to convince
> someone to look more broadly</ snark >

<!-- -->

> they seem to have a hard time deciding if they are a serious project or just
> a toy one that possibly couldn't be scrutinized because it's just a bunch of
> volunteers. Schrodinger's seriousness, very profession or very helpless
> depending on whatever's more convenient at the moment.

<!-- -->

> This seems like a pretty dick move without even attempting to engage with
> Forgejo first. A combination of assumptions based on no evidence and "I don't
> feel like it" is not a good look. They aren't a large company with money to
> burn, they depend on people being willing to pitch in or at least provide
> details before going nuclear.

<!-- -->

> You may ASK unpaid security research volunteers to participate in some
> coordinated disclosure, but you can't demand they surrender their free time
> beyond the report. The maintainers are NLnet funded, the security researcher is
> operating on goodwill. The bugs are still sitting unaddressed in the open,
> although there's a recent commit fixing token expiry.

<!-- -->

> The Forgejo disclosure process looked pretty simple and straightforward to
me. The bold and all-caps words that bothered the author are just making sure
you know how to disclose vulnerabilities safely without leaking zero-day
exploits to a wider audience than necessary. I'm also not impressed with a
carrot disclosure that looks like this. Running a python script to compromise a
locally hosted instance? Bruh, you have physical hardware and host shell
access. That python script could be doing anything including running as root.

<!-- -->

> what you've done here was below any reasonable standard of professional
> conduct, and also very strange to me. I'm an accessibility nerd and have
> recently begun digging into Forgejo's accessibility bugs. They do have a few,
> which to me was like "oh cool, it will probably be fun to work with them on
> these". Makes no sense to me as a specialist in solving a particular type of
> problem to build a brand as someone this publicly hostile to those you deem as
> having too much of that problem.
