Carrot disclosure: Forgejo

micdan:

but they also need to understand Forgejo will potentially never be as big as GitHub, so failures are pretty much expected.

The article explicitly says these issues probaby arent event their fault.

the sorry state of the codebase (not their fault though, they inherited the gitea/gogs ones)

notwithstanding:

There’s no point in contributing to an open source project, because it will always be bad?

Isn’t disclosing the vulnerabilies already contributing in some way? I think the author makes a resonable case about why they did not go directly to Forgejo because of the Security Policy.