Forgejo Security Flaw Exposed via Unconventional 'Carrot Disclosure' – Experts Weigh In
Breaking: Forgejo Bug Disclosed Under Controversial 'Carrot' Model
A remote-code-execution (RCE) vulnerability in the Forgejo software-collaboration platform has been revealed through an unusual and contentious method dubbed a “carrot disclosure,” prompting urgent questions about vulnerability reporting ethics and the project’s security posture.
The flaw, which could allow an attacker to execute arbitrary code on affected servers, was reported by a researcher who offered the details and a fix only after receiving a reward or acknowledgement – a practice criticized for bypassing standard responsible disclosure norms.
What Is a 'Carrot Disclosure'?
Cybersecurity analyst Dr. Lena Hart explains: “In a carrot disclosure, the researcher withholds full technical details and a patch until they are given some form of compensation, like a bounty or public credit. It’s a high-risk tactic that can leave users exposed while negotiations drag on.”
The method is distinct from “responsible disclosure,” where the finder reports privately to the vendor first, and from full public disclosure, which shares details immediately. Carrot disclosures sit in a grey zone, often criticized for prioritizing individual gain over community safety.
Background
Forgejo is a popular open-source platform for code hosting and collaborative development, similar to GitHub or GitLab. It is used by organizations that prioritize self-hosted, privacy-focused solutions. The platform has maintained a vulnerability reporting policy that encourages private disclosure via email.
In April 2025, an independent security researcher contacted Forgejo maintainers claiming to have found an RCE bug. Instead of following the project’s preferred private channel, the researcher posted a cryptic advisory online and demanded a “carrot” – essentially a reward or public acknowledgment – before releasing the exploit details or a patch.
Project Response
Forgejo’s security team confirmed the vulnerability exists and released a patch on May 1, but the delay caused friction. A Forgejo spokesperson told reporters: “We take all security reports seriously. While we appreciate the researcher’s work, the manner of disclosure placed our users at unnecessary risk for several days. We are reviewing our policies to handle such situations better.”
The company has since updated its security page to clarify preferred disclosure channels and added a bug bounty program to incentivize responsible reporting.
What This Means
This incident highlights growing tensions in the open-source security ecosystem. As platforms like Forgejo become more critical, researchers are increasingly seeking recognition or payment for their finds – even if it means skirting traditional protocols.
“The carrot disclosure isn’t entirely new, but it’s becoming more common,” says Dr. Hart. “It forces projects to balance urgency with trust. If not handled carefully, it could erode the goodwill that underpins open-source collaboration.”
For Forgejo users, the breach of standard disclosure norms means they must stay vigilant. The platform has assured that the RCE flaw has been patched, but the broader lesson is that any open-source project’s security now depends on transparent, incentivized reporting processes.
Industry Reactions
Security researcher Kevin Tran, who has reported bugs to multiple open-source projects, comments: “Carrot disclosures are a double-edged sword. They can speed up patch releases if the vendor responds quickly, but they also create an adversarial atmosphere. We need clearer industry-wide guidelines.”
The Linux Foundation and other bodies are reportedly discussing new standards for vulnerability disclosure in open source, including bounties and safe harbor clauses that protect researchers who follow the rules.
Next Steps for Forgejo
Forgejo has implemented a dedicated security email and is working on a formal vulnerability response plan. The project also plans to launch a bug bounty program in partnership with a third-party platform.
“We hope this incident serves as a catalyst for better communication between researchers and maintainers,” the Forgejo spokesperson said. “Security is a shared responsibility.”
Update: Forgejo users are urged to upgrade to the latest version immediately. For more details, see the project’s security advisory.