Application
I propose to become part of the security team.
- If you agree, please simply add a 👍 to this issue.
- If you disagree or have reservations, please write them in a comment below and I will do my best to address them.
This application follows the Forgejo decision making process (accepted after 2 weeks, unless concerns are raised).
Pledge
I pledge to act in accordance with the code of conduct, and all other rules and processes agreed via the Forgejo decision making process.
If there is an agreement for me to be a member of the team, I will consider applying again a year later.
I pledge to read and respond in a timely manner to mails sent to security@forgejo.org.
I pledge to follow the principles of Coordinated vulnerability disclosure.
Background
I am currently a member of the security team as per the agreement from last year.
I am definitely not a security professional and I have no formal training or education in computer science, security or cryptography. But I am a Go developer with 3 years of experience and 2.5 years of experience with the Forgejo codebase and have been a member of the Forgejo (before that Gitea) security team for the past 1.5 years.
On top of what the previous agreement listed, in the last year I've continued to work on creating patches for security vulnerabilities, analyzed incoming security reports and security vulnerabilities in dependencies that Forgejo uses and I've continued to do security research against the codebase to find security vulnerabilities, with success.
The following is a meaningless list of the public work I've done in the past year as part of the security team:
- https://forgejo.org/2023-02-17-release-v1-18-3-2/#security-issues-in-git & https://forgejo.org/2023-01-18-release-v1-18-1-0/#critical-security-issues-in-git: Analyzed if the Git vulnerabilities could be exploited in Forgejo.
- https://forgejo.org/2023-02-23-release-v1185-0: Analyzed and worked on creating the patch for the 'weak' password hashes.
- https://forgejo.org/2023-10-release-v1-20-5-0/#long-term-authentication-token: Found, analyzed, researched and worked on created a patch to rework the long term authentication token from scratch to be secure.
- https://forgejo.org/2023-11-release-v1-20-5-1/: Found and analyzed the vulnerable endpoints to manually crafting identifiers.