You must log in or # to comment.
FYI: The writer works for a AI-based security company and,well,seems to fit in there.
There’s a follow up by the author:
https://dustri.org/b/follow-up-to-carrot-disclosure-forgejo.html
Including this:
So I ended up sending and email to Forgejo security team, containing: an apology, a bit about my reasoning for proceeding with carrot disclosure, recommendations about what to harden/review, and a bunch of commented exploits/proof-of-concepts as attachment. We’ll see how it goes.
What a dick that guy is.
Edit: I hate to remove comments and it may get me banned but due to the hate speech I’m receiving regarding things unrelated to software while trying to sympathize with a frustrated security researcher who got caught up in unnecessary bureaucracy when taken en masse, I’m going to remove these comments for now. This is why we volunteer FOSS engineers have to stay clear of popular projects I guess.
Yea. But did you read the security.md?
https://codeberg.org/forgejo/governance/src/branch/main/SECURITY-POLICY.mdUse an encrypted email to security@forgejo.org. If you can’t, tell them and they will set one up.
Seems very assholeish to not at least do that.
Edit: I hate to remove comments and it may get me banned but due to the hate speech I’m receiving regarding things unrelated to software while trying to sympathize with a frustrated security researcher who got caught up in unnecessary bureaucracy when taken en masse, I’m going to remove these comments for now. This is why we volunteer FOSS engineers have to stay clear of popular projects I guess.
Edit: I hate to remove comments and it may get me banned but due to the hate speech I’m receiving regarding things unrelated to software while trying to sympathize with a frustrated security researcher who got caught up in unnecessary bureaucracy when taken en masse, I’m going to remove these comments for now. This is why we volunteer FOSS engineers have to stay clear of popular projects I guess.
I don’t think you read the article.
Did you miss this part
with a lot of MUST/MUST NOT about what I must or mustn’t do should I decide to go this way.
Sounds like him being lazy.
Your comment said Forgejo has a disclosure process. The article says the author went with a carrot disclosure after reading the disclosure process and making a value judgement. Because your comment only mentioned Forgejo having a disclosure process, not an evaluation of the author’s evaluation of the disclosure process, it made you appear as if you had not read the article.
In your response to me calling that out, you offer an analysis. The author is lazy for using carrot disclosure over the defined disclosure process. That’s a valid take. I’m not going to disagree with that.
Can you please point out the hate speech you received? I can’t find any in the comments here, just people having different opinions.
As the time of writing the comment I am replying to has 15 up- and 3 downvotes. Doesn’t look like it has warranted hate speech.
They were DMed to me, and was disagreeing with me on this subject and then using anti-trans slurs. I got a bunch all in a short period, so I’m guessing a single actor or anti-trans group using multiple accounts. But I decided it wasn’t worth my emotional energy to keep the comments up and have others do the same. Sucks that some people can’t have discussions without finding something they hate about you and using that to make themselves feel superior when they dont have any real argument to make other than “you’re wrong”.
Honestly, I abandoned my lemmy.world account last year when Serinus changed the moderation policy that the “narrative” that trans people are not real or are mentally ill or whatever to not be considered hate speech and thus not to be removed automatically, following the similar change at Facebook. I guess I should continue to steer clear of the server since it seems it has given bigots a feeling that they aren’t the bad guy as I argued it would just like it did with Facebook, X, and the others. Sucks that we can’t live in peace. And that’s all I’ll say on the matter as I dont have the energy to convince anyone that trans people do exist, it’s widely accepted medical science from all unbiased medical organizations and it is definitely as much hate speech so say a trans person isn’t their gender as it is to say a black person is a non-human primate.
WTF, sorry you had to endure this. Sad to see that silencing seems to work, still. Please report their messages.
To the people messaging you privately: grow some courage and do it out in the open so we know who you are.
Trans people are just people born in the wrong gender’s body. People who feel the need to attack minorities like this are pathetic losers.
I’m not sure why this Lemmy post was titled “RCE in Forgejo” when it just links to a yet-to-be-proven exploit, and the post itself is just a boast on not disclosing the vuln and telling maintainers to duplicate efforts. Feels rather disingenuous.
Other than that the idea of treating Forgejo as some sort of vendor to pull a carrot on is kind of a stupid joke. The security policy, even if lengthy, provides basis for collaboration. And these behaviors, although coming out the volunteer effort of a security researcher, does not exempt one from looking like an ass.
Also see the Mastodon thread for more.
You’re right, I added a question mark.
… Fortunately (or unfortunately depending who you’re asking), the RCE relies on open registration , and on a configuration option set to a non-default value (which is the case on some instances I’ve looked at, so nothing exotic), meaning that its selling value is pretty low/nonexistent …
From the posted blogpost
There’s an HN thread about this and yes it sounds like the guy is being stupid and/or there was a communications error. He submitted a PR for a potentially breaking change and it was closed as “needs discussion”. That is, instead of clicking “open PR”, he was advised to instead click “open discussion” and talk about the proposed change and its potential downstream effects. He instead got pissy and started spamming forums.
Setting aside the Forgejo issues for a moment, I can’t quite see the logic behind the author’s description of a “carrot disclosure”.
As written, it’s a third option for disclosure, beyond 1) coordinated disclosure (often 90 days for the vendor to fix things) or 2) full disclosure (immediately going public, esp when the vulnerability is believed to be actively exploited). But what the author describes as the carrot is to publish only the output of a proof-of-concept, and then the onus is on the vendor to figure out both the vulnerability and the fixes.
This seems wildly irresponsible to me, to put the effort into writing a working PoC but then to willfully withhold it, so as to basically force the vendor into a wild goose chase. And that’s the best case scenario, when the PoC is actually legit. At worst, it’s a DoS against a vendor (causing them to re-audit code to find a bug that doesn’t actually exist, eg hallucinated AI slop) or is a form of defamation to scare users away.
Then there’s the issue of when it’s not a “vendor” per-se but a group of volunteers of an open-source project, which I will distinguish from commercial vendors as “maintainers”. Is it ethical to withhold an already-written PoC from FOSS maintainers, whom often do not have the material capabilities to do a full-scale audit when given basically no clues?
To be clear, I’m not a security researcher and have done zero disclosures of any form. But if I ever ran a project and received a so-called carrot disclosure, why shouldn’t I immediately call their bluff and treat it as full-disclosure? This situation seems like Schrodinger’s Cat, where the only way to rip away the uncertainty is to throw open the box. Worse case, the project suffers the reputational hit for having a legit vulnerability. But best case, the vulnerability is non-existent. But what this supposed “third way” purports to do is no different than sowing the seeds of fear, uncertainty, and doubt amongst users. Someone tell me how this isn’t one step away from extortion.
I think game theory would say that any and all recipients of “carrot” disclosures should always call the bluff, immediately and vocally. I don’t see any way for such disclosures to be anything but unnecessarily antagonistic. I refuse to credit the term with any legitimacy.
What’s a good alternative? I’m not 100% sold on forgejo either due to some bugs and security issues I’ve run into as well, but I’ve found few self-hosted alternatives that are a good fit. I need very little beyond a git repo. But I like having the web UI for reviewing code and pull requests and basic issue tracking and need that to support OIDC, but otherwise I’m open. I want something relatively lightweight, fully FOSS, and telemetry and all other external communication can be disabled.
Forgejo is fine. Don’t expose it to the internet unless you have to, or mirror your repos to Codeberg and let them worry about it.
Yeah I keep it isolated for now, but use it very little. I plan to expand to try to get off of some other platforms, so just looking if any other options exist, even if they lack features since I don’t use a lot.
