After publishing a carrot disclosure on Forgejo, jvoisin faced social pressure, Mastodon removals, and community backlash before ultimately sending exploits and recommendations to security@forgejo.org.
Key Takeaways
Forgejo’s security team scope is explicitly reactive: handling reports sent to security@forgejo.org; proactive vulnerability work is outside their mandate.
Toot linking to the original post was removed from infosec.exchange and mastodon.social before being restored, illustrating Mastodon moderation inconsistency on disclosure debates.
Netherlands deployed a sovereign software forge on a public Forgejo instance, raising the stakes for Forgejo’s security posture.
jvoisin ultimately sent an apology, reasoning, hardening recommendations, and commented proof-of-concepts to the Forgejo security team.
Exploit-writer peers warned the disclosure brought unwanted attention to what they consider an easy target.
