For @ifin folks, I started a discussion about this on the Discourse here: https://discourse.ifin.network/t/carrot-disclosure-forgejo/

Reply to For @ifin folks, I started a discussion about this on the Discourse here: https://discourse.ifin.network/t/carrot-disclosure-forgejo/ on Wed, 29 Apr 2026 18:33:44 GMT

oilheap@infosec.exchange — Wed, 29 Apr 2026 18:33:44 GMT

@cxiao @kouhai @ifin oh, so this is not a researcher but a malicious party? Then we should prosecute them!

Reply to For @ifin folks, I started a discussion about this on the Discourse here: https://discourse.ifin.network/t/carrot-disclosure-forgejo/ on Wed, 29 Apr 2026 18:16:26 GMT

kouhai@social.treehouse.systems — Wed, 29 Apr 2026 18:16:26 GMT

@cxiao @oilheap @ifin one of the objections I’ve seen is “carrot disclosure doesn’t work when you’re punching downwards or sideways”/ “what additional resources can a volunteer-based project apply?”

(not focusing on the other objections, because I don’t want to retread the productive discussion from earlier)

Reply to For @ifin folks, I started a discussion about this on the Discourse here: https://discourse.ifin.network/t/carrot-disclosure-forgejo/ on Wed, 29 Apr 2026 18:14:19 GMT

demize@unstable.systems — Wed, 29 Apr 2026 18:14:19 GMT

@cxiao @kouhai I can understand the negative reaction; telling a well-respected and very open source project “you have serious issues but I’m not going to tell you what they actually are” without any attempt to actually flag the issues to them is… not great? it’s not like this is a company that can bring in someone to audit the code, it’s an open source project that would love to fix the issues but is resource constrained by virtue of being an open source project

it’s an inherently aggressive approach to disclosure and it doesn’t come off as “helpful” nearly as much as “condescending”, and while that’s one thing to direct at a corporation…

Reply to For @ifin folks, I started a discussion about this on the Discourse here: https://discourse.ifin.network/t/carrot-disclosure-forgejo/ on Wed, 29 Apr 2026 18:05:29 GMT

cxiao@infosec.exchange — Wed, 29 Apr 2026 18:05:29 GMT

@kouhai @oilheap @ifin TY! I'm a little surprised by the extreme negative reactions to this TBH. From the perspective of being a Forgejo or other OSS maintainer it sucks to see this. But at the end of the day attackers don't care and aren't going to tell you in this way, or any way, that you have serious issues

Reply to For @ifin folks, I started a discussion about this on the Discourse here: https://discourse.ifin.network/t/carrot-disclosure-forgejo/ on Wed, 29 Apr 2026 18:02:16 GMT

kouhai@social.treehouse.systems — Wed, 29 Apr 2026 18:02:16 GMT

@oilheap @cxiao @ifin for what it’s worth, we (treehouse staff and community) had a productive discussion with the author on discord; hopefully further updates will trickle out over the next days

Reply to For @ifin folks, I started a discussion about this on the Discourse here: https://discourse.ifin.network/t/carrot-disclosure-forgejo/ on Wed, 29 Apr 2026 17:57:27 GMT

oilheap@infosec.exchange — Wed, 29 Apr 2026 17:57:27 GMT

@cxiao @ifin "carrot disclosure" wtf. This is not the most stupid thing I've seen this week, but it's up there. This helps nobody and only inflates the ego of the researcher. The fact that they considered "sellability" of these issues already gives enough insight.