Since I published Carrot disclosure: Forgejo two days ago, numerous things happened:
- Friends of mine were reached out to, to "talk to me from a place of trust", or simply to tell them what an horrible person I am, which they found hilarious.
- The toot linking to the blogpost was removed from infosec.exchange by an overzealous moderator after it had been reported multiple times by multiple people. I thus moved to mastodon.social, where it was also removed with "Irresponsible disclosure" given as a reason. So I moved back to infosec.exchange, where the toot was restored. In the meantime, friends handed me invitations for various mastodon instances, which I'm grateful for.
- Numerous instances of the eternal vulnerabilities disclosure debate spawned.
- Some exploit-writer friends of mine complained that I brought unwanted attention to an easy target.
- The Netherlands deployed a sovereign software forge in the form of a public forgejo instance.
- Everyone had an opinion on mastodon on this, especially on what I should do with the vulnerabilities I found, and was really vocal about it. I also got called a handful vile names.
- Forgejo's security policy was copiously made fun of.
- I got a tone deaf email from Forgero's moderation team, to my arguably tone-deaf blog post, which I think is funny.
- I've learnt that the role of Forgejo security team is to "take care of security vulnerabilities and to handle sensitive security-related issues reported to security@forgejo.org using encryption." Doing anything proactive isn't in their attributions.
- Various entities, including some with security teams, revised their judgment about what Forgejo is and isn't, which was the main goal of the previous blogpost.
Nonetheless, some productive good faith conversations have been had as well, and it seems that experimenting with odd vulnerability disclosure schemes is frowned upon. So I ended up sending an email to Forgejo security team, containing: an apology, a bit about my reasoning for proceeding with carrot disclosure, recommendations about what to harden/review, and a bunch of commented exploits/proof-of-concepts as attachment. We'll see how it goes.
On a more personal note, I found the amount of flak and hate completely wild, and I think I would have got way less had I simply decided to go with full disclosure. Heck, even a "found cool bugs in Forgejo, sold them for peanuts lol" would probably have been better received. But as a friend explained to me: "everyone loves the puppy, but also knows how weak it currently is, and you kicked the puppy, yelling about how weak the fucker is.", which is good metaphor I guess.