Application
I propose to be accountable for the Forgejo security and become part of the the security team.
- If you agree, please simply add a 👍 to this issue.
- If you disagree or have reservations, please write them down here, in a comment.
This application follows the Forgejo decision making process. It is still new: do not hesitate to voice any concern you may have.
Pledge
I pledge to read and respond in a timely manner to mails sent to security@forgejo.org.
I pledge to follow the principles of Coordinated vulnerability disclosure.
Background
I'm by no means a security professional and I don't have any formal education w.r.t. computer science, security or cryptography. But I am a Go developer with two years of experience and one and a half years of experience with the Forgejo/Gitea codebase.
I have previously been on the Gitea security team, where I fixed reported security exploits and simultaneously found several of them myself. While being on the temporary Forgejo security team, I have verified that Forgejo/Gitea were vulnerable to the two CVEs in Git and have realized (through a bug report) that certain email behavior could be exploited, for which I created a patch that was later upstreamed and caused a security release.
The security-related PRs that I have authored:
Security bug that I reported and provided a patch for:
### Application
I propose to be accountable for the Forgejo security and become part of the [the security team](https://codeberg.org/forgejo/meta/src/branch/readme/TEAMS.md#security).
1. If you agree, please simply add a 👍 to this issue.
2. If you disagree or have reservations, please write them down here, in a comment.
This application follows the Forgejo [decision making process](https://codeberg.org/forgejo/meta/src/branch/readme/DECISION-MAKING.md). It is still new: do not hesitate to voice any concern you may have.
### Pledge
I pledge to read and respond in a timely manner to mails sent to `security@forgejo.org`.
I pledge to follow the principles of [Coordinated vulnerability disclosure](https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure).
### Background
I'm by no means a security professional and I don't have any formal education w.r.t. computer science, security or cryptography. But I am a Go developer with two years of experience and one and a half years of experience with the Forgejo/Gitea codebase.
I have previously been on the Gitea security team, where I fixed reported security exploits and simultaneously found several of them myself. While being on the temporary Forgejo security team, I have verified that Forgejo/Gitea were vulnerable to the two CVEs in Git and have realized (through a bug report) that certain email behavior could be exploited, for which I created a patch that was later upstreamed and caused a security release.
The security-related PRs that I have authored:
- https://github.com/go-gitea/gitea/pull/18359
- https://github.com/go-gitea/gitea/pull/17666
- https://github.com/go-gitea/gitea/pull/20133
- https://github.com/go-gitea/gitea/pull/20332
Security bug that I reported and provided a patch for:
- https://github.com/go-gitea/gitea/pull/22566