Entertainment

Follow-up to Carrot disclosure: Forgejo

0 Comments

🚀 Read this trending post from Hacker News 📖

📂 **Category**:

💡 **What You’ll Learn**:

Since I published Carrot disclosure:
Forgejo two days ago, numerous things
happened:

  • Friends of mine were reached out to, to “talk to me from a place of trust”,
    or simply to tell them what an horrible person I am, which they found
    hilarious.
  • The toot linking to
    the blogpost was removed from infosec.exchange by an overzealous moderator
    after it had been reported multiple times by multiple people. I thus moved to
    mastodon.social, where it was also removed with “Irresponsible disclosure”
    given as a reason. So I moved back to infosec.exchange, where the toot was
    restored. In the meantime, friends handed me invitations for various mastodon
    instances, which I’m grateful for.
  • Numerous instances of the eternal vulnerabilities disclosure debate spawned.
  • Some exploit-writer friends of mine complained that I brought unwanted
    attention to an easy target.
  • The Netherlands deployed a sovereign software forge in the form of a
    public forgejo instance.
  • Everyone had an opinion on
    mastodon on this,
    especially on what I should do with the vulnerabilities I found, and was
    really vocal about it. I also got called a handful vile names.
  • Forgejo’s security
    policy
    was copiously made fun of.
  • I got a tone deaf email from Forgero’s moderation team, to my arguably
    tone-deaf blog post, which I think is funny.
  • I’ve learnt that the role of Forgejo security
    team is to
    “take care of security vulnerabilities and to handle sensitive
    security-related issues reported to security@forgejo.org using encryption.”
    Doing anything proactive isn’t in their attributions.
  • Various entities, including some with security teams, revised their judgment
    about what Forgejo is and isn’t, which was the main goal of the previous
    blogpost.

Nonetheless, some productive good faith conversations have been had as well,
and it seems that experimenting with odd vulnerability disclosure schemes is
frowned upon. So I ended up sending and email to Forgejo security team,
containing: an apology, a bit about my reasoning for proceeding with carrot
disclosure, recommendations about what to harden/review, and a bunch of
commented exploits/proof-of-concepts as attachment. We’ll see how it goes.

🔥 **What’s your take?**
Share your thoughts in the comments below!

#️⃣ **#Followup #Carrot #disclosure #Forgejo**

🕒 **Posted on**: 1777580526

🌟 **Want more?** Click here for more info! 🌟

By

Leave a Reply

Your email address will not be published. Required fields are marked *

Like Us
Follow Us
Subscribe Us
Follow Us