April 30, 2026
Commit history? More like conflict history
Follow-up to Carrot disclosure: Forgejo
Security spat turns into a fed-up internet pile-on, with cheers, jeers, and deleted posts
TLDR: The researcher behind the Forgejo warning says the fallout included deleted posts, personal attacks, and a reluctant apology email with proof of the problems attached. Online, people split hard between calling the whole thing reckless trolling and praising it as an ugly but necessary warning for anyone trusting Forgejo with their code.
What started as one researcher waving a giant red flag about problems in Forgejo — a GitHub-like tool people use to host code — has now turned into a full-blown online soap opera. Posts linking to the original write-up were removed, restored, removed again, and bounced between Mastodon servers like a hot potato, while friends of the author were apparently contacted and told he was an awful person. Naturally, the internet responded the only way it knows how: by turning the whole thing into The Discourse. Some people argued the warning was messy and reckless; others basically said, messy or not, thank goodness someone yelled before more people got burned.
The comments are split between eye-rolls and applause. One camp thinks this has all the energy of a provocation, with one blunt commenter declaring, "This is the classic response of a troll". Another crowd is baffled by the backlash, with one admin saying they were considering opening up their own Forgejo setup and were relieved someone sounded the alarm first. Meanwhile, a more measured voice suggested the ideal outcome was to lower the personal heat — though even that got side-eyed as maybe too generous. And because this is the internet, there was also comic relief: a totally random shoutout to the site’s favicon coming from the deliciously grim children’s book I Want My Hat Back, which honestly fits the mood. In the end, the author apologized and sent the Forgejo security team the details anyway, but the real takeaway is that the community is still bitterly arguing over whether sounding the alarm badly is better than staying quiet nicely.
Key Points
- •The author reports significant fallout after the earlier Forgejo disclosure, including outreach to the author’s friends, insults, and widespread debate about vulnerability disclosure.
- •A toot linking to the earlier blogpost was removed from infosec.exchange, then from mastodon.social for "Irresponsible disclosure," and was later restored on infosec.exchange.
- •The article says some exploit writers objected that the post brought attention to an easy target, while Forgejo’s security policy was heavily criticized.
- •The author states they learned Forgejo’s security team is focused on handling reports sent to security@forgejo.org using encryption, not proactive security work.
- •The author ultimately emailed Forgejo’s security team with an apology, reasoning for the disclosure approach, hardening recommendations, and attached exploit and proof-of-concept material.