Hacker News new | ask | show | jobs
by sleepybrett 45 days ago
I get the criticism but also I don't get the criticism.

Thank fuck that someone found this bug and let them and the rest of us about it so we can protect ourselves. My forgejo instance was already running on my tailnet with no public exposure but had been considering public disclosure of it for some collaborators.

There has been a lot of talk around forgejo as an alternative to github for months now. To now understand that their security posture seems to be, 'like, yaknow, whatever...' is disturbing.

I think both parties can take this opportunity to mature. I understand that Forgejo is a community project, but community projects should have standards or very explicit disclaimers when it comes to security.
1 comments
throwa356262 45 days ago
The growing popularity of the project + an increase of AI-powered security enthusiasts submitting random bugs has created a HUGE backlog for the Foregejo security team.

Instead of acting like this, the author should offer to help the project.

link
jszymborski 45 days ago
I think the author would argue they did try to do so, but their efforts were poorly received.
link
dgellow 45 days ago
The author doesn’t owe forgejo anything. They are doing them a favor by highlighting the issues
link
throwa356262 45 days ago
No, the author is seeking attention. He is not doing forgejo or their users any favours by completely ignoring the rules of engagement

https://en.wikipedia.org/wiki/Coordinated_vulnerability_disc...

link
throawayonthe 44 days ago
coordinated disclosure has always been a courtesy (with a deadline to motivate the vendor to fix their stuff) and i don't like how people seem to just expect it now
link