forgejo/discussions
49
43

Security reporting with a forge #448

Open
opened 2026年02月27日 13:55:09 +01:00 by Ryuno-Ki · 3 comments

Recently, the cURL project moved from Hackerone to GitHub and back over AI slop resp. a subpar experience.

Daniel Stenberg blogged about the process and stated some requirements why Codeberg, Gitlab et al were non-choices. Feels like something Forgejo can consider:

What we want from a security reporting system

To illustrate what we are looking for, I made a little list that should show that we’re not looking for overly crazy things.

  1. Incoming submissions are reports that identify security problems.
  2. The reporter needs an account on the system.
  3. Submissions start private; only accessible to the reporter and the curl security team
  4. All submissions must be disclosed and made public once dealt with. Both correct and incorrect ones. This is important. We are Open Source. Maximum transparency is key.
  5. There should be a way to discuss the problem amongst security team members, the reporter and per-report invited guests.
  6. It should be possible to post security-team-only messages that the reporter and invited guests cannot see
  7. For confirmed vulnerabilities, an advisory will be produced that the system could help facilitate
  8. If there’s a field for CVE, make it possible to provide our own. We are after all our own CNA.
  9. Closed and disclosed reports should be clearly marked as invalid/valid etc
  10. Reports should have a tagging system so that they can be marked as "AI slop" or other terms for statistical and metric reasons
  11. Abusive users should be possible to ban/block from this program
  12. Additional (customizable) requirements for the privilege of submitting reports is appreciated (rate limit, time since account creation, etc)

E-Mail was also excluded for reasons listed there.

Recently, the cURL project moved from Hackerone to GitHub and back over AI slop resp. a subpar experience. Daniel Stenberg [blogged about the process](https://daniel.haxx.se/blog/2026/02/25/curl-security-moves-again/) and stated some requirements why Codeberg, Gitlab et al were non-choices. Feels like something Forgejo can consider: > ## What we want from a security reporting system > > To illustrate what we are looking for, I made a little list that should show that we’re not looking for overly crazy things. > > 1. Incoming submissions are reports that identify security problems. > 2. The reporter needs an account on the system. > 3. Submissions start private; only accessible to the reporter and the curl security team > 4. All submissions must be disclosed and made public once dealt with. Both correct and incorrect ones. This is important. We are Open Source. Maximum transparency is key. > 5. There should be a way to discuss the problem amongst security team members, the reporter and per-report invited guests. > 6. It should be possible to post security-team-only messages that the reporter and invited guests cannot see > 7. For confirmed vulnerabilities, an advisory will be produced that the system could help facilitate > 8. If there’s a field for CVE, make it possible to provide our own. We are after all our own CNA. > 9. Closed and disclosed reports should be clearly marked as invalid/valid etc > 10. Reports should have a tagging system so that they can be marked as "AI slop" or other terms for statistical and metric reasons > 11. Abusive users should be possible to ban/block from this program > 12. Additional (customizable) requirements for the privilege of submitting reports is appreciated (rate limit, time since account creation, etc) E-Mail was also excluded for reasons listed there.

There's already a feature request: forgejo/forgejo#142. Stenberg's points have been brought up, too.

There's already a feature request: https://codeberg.org/forgejo/forgejo/issues/142. Stenberg's points have been brought up, too.

Thanks. I felt the concrete implementation vision is unclear enough that I looked into the discussion repo but haven't checked the forgejo one.

Thanks. I felt the concrete implementation vision is unclear enough that I looked into the discussion repo but haven't checked the forgejo one.

On a funny side:

In point 11, there is a logical error. As of now, it seems like abusive users should be possible to ban. Which basically would mean they have admin rights.

Passive form should be used.

On a more serious note: I agree. Especially with 4. Transparency indeed is key.

On a funny side: In point 11, there is a logical error. As of now, it seems like abusive users should be possible to ban. Which basically would mean they have admin rights. Passive form should be used. On a more serious note: I agree. Especially with 4. Transparency indeed is key.
Sign in to join this conversation.
No Branch/Tag specified
No results found.
No results found.
Labels
Clear labels
User research - Accessibility
Requires input about accessibility features, likely involves user testing.
User research - Blocked
Do not pick as-is! We are happy if you can help, but please coordinate with ongoing redesign in this area.
User research - Community
Community features, such as discovering other people's work or otherwise feeling welcome on a Forgejo instance.
User research - Config (instance)
Instance-wide configuration, authentication and other admin-only needs.
User research - Errors
How to deal with errors in the application and write helpful error messages.
User research - Filters
How filter and search is being worked with.
User research - Future backlog
The issue might be inspiring for future design work.
User research - Git workflow
AGit, fork-based and new Git workflow, PR creation etc
User research - Labels
Active research about Labels
User research - Moderation
Moderation Featuers for Admins are undergoing active User Research
User research - Needs input
Use this label to let the User Research team know their input is requested.
User research - Notifications/Dashboard
Research on how users should know what to do next.
User research - Rendering
Text rendering, markup languages etc
User research - Repo creation
Active research about the New Repo dialog.
User research - Repo units
The repo sections, disabling them and the "Add more" button.
User research - Security
User research - Settings (in-app)
How to structure in-app settings in the future?
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Reference
forgejo/discussions#448
Reference in a new issue
forgejo/discussions
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?