Recently, the cURL project moved from Hackerone to GitHub and back over AI slop resp. a subpar experience.
Daniel Stenberg blogged about the process and stated some requirements why Codeberg, Gitlab et al were non-choices. Feels like something Forgejo can consider:
What we want from a security reporting system
To illustrate what we are looking for, I made a little list that should show that we’re not looking for overly crazy things.
- Incoming submissions are reports that identify security problems.
- The reporter needs an account on the system.
- Submissions start private; only accessible to the reporter and the curl security team
- All submissions must be disclosed and made public once dealt with. Both correct and incorrect ones. This is important. We are Open Source. Maximum transparency is key.
- There should be a way to discuss the problem amongst security team members, the reporter and per-report invited guests.
- It should be possible to post security-team-only messages that the reporter and invited guests cannot see
- For confirmed vulnerabilities, an advisory will be produced that the system could help facilitate
- If there’s a field for CVE, make it possible to provide our own. We are after all our own CNA.
- Closed and disclosed reports should be clearly marked as invalid/valid etc
- Reports should have a tagging system so that they can be marked as "AI slop" or other terms for statistical and metric reasons
- Abusive users should be possible to ban/block from this program
- Additional (customizable) requirements for the privilege of submitting reports is appreciated (rate limit, time since account creation, etc)
E-Mail was also excluded for reasons listed there.
Recently, the cURL project moved from Hackerone to GitHub and back over AI slop resp. a subpar experience.
Daniel Stenberg [blogged about the process](https://daniel.haxx.se/blog/2026/02/25/curl-security-moves-again/) and stated some requirements why Codeberg, Gitlab et al were non-choices. Feels like something Forgejo can consider:
> ## What we want from a security reporting system
>
> To illustrate what we are looking for, I made a little list that should show that we’re not looking for overly crazy things.
>
> 1. Incoming submissions are reports that identify security problems.
> 2. The reporter needs an account on the system.
> 3. Submissions start private; only accessible to the reporter and the curl security team
> 4. All submissions must be disclosed and made public once dealt with. Both correct and incorrect ones. This is important. We are Open Source. Maximum transparency is key.
> 5. There should be a way to discuss the problem amongst security team members, the reporter and per-report invited guests.
> 6. It should be possible to post security-team-only messages that the reporter and invited guests cannot see
> 7. For confirmed vulnerabilities, an advisory will be produced that the system could help facilitate
> 8. If there’s a field for CVE, make it possible to provide our own. We are after all our own CNA.
> 9. Closed and disclosed reports should be clearly marked as invalid/valid etc
> 10. Reports should have a tagging system so that they can be marked as "AI slop" or other terms for statistical and metric reasons
> 11. Abusive users should be possible to ban/block from this program
> 12. Additional (customizable) requirements for the privilege of submitting reports is appreciated (rate limit, time since account creation, etc)
E-Mail was also excluded for reasons listed there.