[FEAT] Secure reporting of security issues #142

The security category must be hidden except to repo "owners" (or designated teams).

I'd extend this with "the issue should be open to the reporter", if you need internal handling do it in a 2nd issue, but allow the reporter to a) get feedback (and potentially help you by giving additional answers / clarifying) and b) potentially add to / improve the report when they find out more...

Else I'm all for it...

Re Encryption, this is always a bit hairy as the server will always have to have the key somewhere (unless we use a public key and the security team needs to use it to decrypt, which would be an absolute mess if we want the backchannel).

I'd at least like to have the option to enforce 2fa for being in the team (reporting should not require 2fa, as it would once again increase the burden to submission)

Today I had the shower thought, whether something like SecureDrop could be hosted alongside Forgejo to accept secuirty disclosures.

I believe no forge currently has this functionality

GitHub supports this now and may be worth looking at for inspiration.

What is the current feeling on this? I would consider contributing, if I knew what the current desired outcome was. I see the references above, but it is clear to me that a security dashboard (e.g. with SBOM vulnerability scanning) is quite different to security reporting needs for a specific repo.

@addisoncrump I suggest you start with contributing bug fixes before trying your hand on a new feature. There are plenty around and it will greatly help you get clarity on how the codebase is organized. What do you think?

A fair suggestion. I do still want to know what the general consensus of this is, because this feature is important to me and I would like to eventually help development in this particular feature.

Such a feature would be accepted in Forgejo, if implemented in a secure-by-design way (forgejo/design#2). There are other people interested in contributing this feature and it might be best to not have separate efforts to implement this.

Certainly. Who else is interested? I will look into contributing to bug/confirmed+good-first-issue for now to get my hands dirty and will swing back to this when I'm more familiar.

A word of advice: this is one of the most difficult feature to implement. Be prepared for a long run. I'm not trying to discourage you, this can be a very exciting adventure.

I'm one of the champions of the Nivenly Fediverse Security Fund, and we've noticed that a significant number of codeberg/forgejo-hosted projects don't have any security vulnerability responsible disclosure process in place, so I'd definitely like to see this.

Maybe this is something NLNet would also be interested in sponsoring the work on, since they do care about security, and this will be a major blocker for existing open-source projects with large user-bases moving from GitHub to forgejo/codeberg.

and this will be a major blocker for existing open-source projects with large user-bases moving from GitHub to forgejo/codeberg.

Do you have a specific example in mind?

As a member of the Forgejo security team, the vast majority of the time is spent on analyzing and fixing vulnerabilities. I would welcome dedicated tooling to reduce the overhead of setting up secure communication channels and a private infrastructure for developing fixes under embargo. But in the case of a project like Forgejo this is a very small fraction of the effort and would certainly not be a blocker. In the case of larger projects the ratio is likely similar and the fraction dedicated to the tooling is probably even smaller.

Am I missing something?

@earl-warren so take a project like Mastodon or Node.js that have a dedicated tab for Security that helps steer people in the right direction (it's just rendering security.md in the repo on a separate page, and if that file doesn't exist, helps guide them to create that)

Just having that information and guiding page helps, then from there issues that are only visible to repo owners + reporter would be the next step. Perhaps that form could have a specific structure to have a common structure between all security vulnerability reports.

We don't necessarily need to start with private pull requests, or anything like that, just giving people the tools to say "here's how to contact us for security things" it could even just trigger an email with the users' email address in reply-to, rather than full fledged issues UI.

Is this the major blocker you mentioned above?

Ideally, I think projects would want the private issues between reporter and team, but doing it via email in the short term could work too. The main thing is having a way to coordinate information disclosure, without that, that would be a blocker.

But just surfacing security information clearly would be a very good first step.

@addisoncrump wrote in #142 (comment):

Certainly. Who else is interested?

@ngortheone expressed interest in this, and IIRC some Fedora people also expressed interest into this (gentle CC @jednorozec). It would be best if implementing this feature could be collaborated, I invite you to join the Forgejo developer matrix room. There's also forgejo/design#2 that contains design choices for private issues.

Hi everyone, as we’re slowly but surely rolling out Forgejo in the Fedora Project, private issues are becoming a priority. You can track our work in this epic.
We plan to implement a solution based on the recommendations in the design ticket. Expect a bit more activity around this in the coming months.

(fyi since the Fedora project migrated, it's now at https://forge.fedoraproject.org/forge/forge/issues/113)

I think this might be interesting here: Daniel Stenberg made a list of needs the curl project has for a security reporting system: https://daniel.haxx.se/blog/2026/02/25/curl-security-moves-again/