I don’t really see what is so bad here… There was disclosure of type, but no reference to the exact code. This gives the maintainer a chance to reach out for specifics before bad actors can make a pseudo-zero day.
I understand what you’re saying, but Forgejo has an outdated and made-up-from-thin-air policy. From their security.md:
You MUST disclose vulns to the author (why are we dictating instead of inviting participation)
emails about vulns MUST be encrypted (I don’t even understand this one, this gives really strong “we don’t know how email works” vibes)
And it just goes on, like someone from 2003 wrote that policy.
Now, I’m going to agree with you that it’s a bit of a dick move to do the carrot dangle thing, but some vendors/devs just don’t respond without the pressure. And forgejo has been forced by github supporters to implement a security policy after trying to ignore it.
It seems that the author has some ongoing interactions with forgejo, and it would be great if these were disclosed in the article, but forgejo seems to need a kick in the pants, especially over an RCE, the forbidden sev 10 of vulns.
If you replaced Forgejo with GitHub then I would understand, but Forgejo isn’t a massive organization with hundreds of hired employees, it’s run by people in their spare time with the option of donations.
Anyone can help contribute, instead of doing that, this guy decided to try and get some clout by being an asshole because he is butthurt about some other interaction. If this guy went about it the proper way and then still got no answer or fix after months, then I would understand more, but he didn’t.
I don’t really see what is so bad here… There was disclosure of type, but no reference to the exact code. This gives the maintainer a chance to reach out for specifics before bad actors can make a pseudo-zero day.
Is it the language you object to?
The entire attitude is shit. Could just contact the developers as outlined, instead of being a prude about it for some clout.
I understand what you’re saying, but Forgejo has an outdated and made-up-from-thin-air policy. From their security.md:
And it just goes on, like someone from 2003 wrote that policy.
Now, I’m going to agree with you that it’s a bit of a dick move to do the carrot dangle thing, but some vendors/devs just don’t respond without the pressure. And forgejo has been forced by github supporters to implement a security policy after trying to ignore it.
It seems that the author has some ongoing interactions with forgejo, and it would be great if these were disclosed in the article, but forgejo seems to need a kick in the pants, especially over an RCE, the forbidden sev 10 of vulns.
If you replaced Forgejo with GitHub then I would understand, but Forgejo isn’t a massive organization with hundreds of hired employees, it’s run by people in their spare time with the option of donations.
Anyone can help contribute, instead of doing that, this guy decided to try and get some clout by being an asshole because he is butthurt about some other interaction. If this guy went about it the proper way and then still got no answer or fix after months, then I would understand more, but he didn’t.