- decide who will receive security reports
- set up an email address for security reports (such as
security@forgejo.org) - create an OpenPGP keypair for the above email account
- publish the OpenPGP public key
- share the OpenPGP private key with the security team
- set up Keyoxide proofs for the OpenPGP public key
Discussed on Matrix, where @Gusted volunteered to handle security reports and @fnetX proposed creating a joint Codeberg / Forgejo security team.
Needed for forgejo/forgejo#9 / forgejo/forgejo#18.