Forgejo Hit by ‘Carrot Disclosure’ Controversy: Alleged RCE Flaw Sparks Debate on Security Practices

Breaking: Forgejo Vulnerability Disclosure Sparks Security Questions

A controversial method of disclosing an alleged remote-code-execution (RCE) flaw in the Forgejo software-collaboration platform has ignited a heated debate within the open-source community. The so-called “carrot disclosure” tactic—where a researcher offers to fix a vulnerability in exchange for public credit or a bug bounty—has raised serious concerns about both the researcher’s approach and Forgejo’s security posture.

“This is not standard practice and undermines trust in coordinated disclosure,” said Dr. Elena Marcov, a cybersecurity researcher at OpenTech Institute. “It places pressure on maintainers and blurs the line between ethical reporting and exploitation.”

The flaw, if confirmed, could allow attackers to execute arbitrary code on Forgejo instances. Forgejo, a fork of Gitea, is used by thousands of organizations for collaborative software development.

Background

The disclosure, made in early April 2025, involved a researcher who presented the vulnerability to Forgejo maintainers along with an offer: publicly acknowledge the finding or pay a bounty. This “carrot disclosure” approach contrasts with the well-established coordinated vulnerability disclosure (CVD) process, where researchers privately notify maintainers and work together on a fix before any public announcement.

Forgejo’s security team responded by releasing an advisory (see below) and patching the flaw within 48 hours. However, the researcher’s method has sparked questions about the project’s overall security policies, including whether it offers a proper bug bounty program or accepted responsible disclosure channels.

“We’re reviewing our security procedures, but this incident highlights a gap in how we handle informal reports,” a Forgejo maintainer told Breaking Tech News on condition of anonymity.

What This Means

The “carrot disclosure” controversy has broad implications for open-source security. It underscores the tension between independent researchers seeking recognition or compensation and project volunteers who often lack resources for bug bounties. “Developers need clear rules and incentives,” noted Marcus Lin, author of Open Source Defense. “Ambiguity breeds distrust.”

For Forgejo users, the immediate risk appears contained—the fix is available in version 8.2.1. But the long-term impact may be a push for standardized security processes across open-source platforms. “We need to prevent future incidents by adopting clear disclosure protocols,” said Janelle Torres, CTO of CodeSafe Labs.

Meanwhile, the researcher who initiated the carrot disclosure has not responded to requests for comment. The full timeline of the disclosure and Forgejo’s response is detailed in the project’s security advisory.

Key Details

• Vulnerability type: Remote Code Execution (RCE)
• Affected software: Forgejo versions prior to 8.2.1
• Disclosure method: “Carrot disclosure”—offer to fix in exchange for credit/bounty
• Patch released: April 5, 2025
• CVSS score: Not yet assigned

Expert Reactions

“Carrot disclosure is ethically murky,” warned Dr. Marcov. “It can be seen as a threat, not a help.”

“Projects must actively incentivize ethical reporting,” added Lin. “Otherwise, researchers may resort to such tactics to get attention.”

Forgejo plans to host a community call on security practices next week. The recording will be posted on their official forum.