Security
On this page
Effective Date: 2026-04-25 — Version: 1.0
Last updated: 2026-04-25
Report a vulnerability #
Email security@frem.sh. Encrypted mail welcome; PGP key fingerprint published on the trust page.
We acknowledge reports within 48 business hours (see the safe-harbour clause below for the formal commitment). Critical issues in the fremforge surface are patched ahead of upstream Forgejo when required; upstream bugs are coordinated with the Forgejo security team under their disclosure policy. Published time-to-patch commitments by severity are on the trust page.
Vulnerability disclosure #
Report vulnerabilities to security@frem.sh.
A machine-readable disclosure policy is published at frem.sh/.well-known/security.txt per RFC 9116, including scope, contact, preferred languages, and acknowledgement window.
Safe-harbour: good-faith research within the published scope is covered by safe-harbour. fremverk will not pursue legal action against researchers who follow the disclosure policy. We commit to acknowledging vulnerability reports within 48 business hours and to coordinated disclosure on a mutually agreed timeline.
PGP key fingerprint for security@frem.sh is published at frem.sh/trust#security-contact.
Scope #
frem.sh— Forgejo UI, Git protocol, API, package registrywww.frem.sh,docs.frem.sh,status.frem.sh- The
fremforge-prdT Cloud tenant - Email / transactional surfaces sending from
@frem.sh
Out of scope #
- Third-party integrations you configure against fremforge (report to the vendor)
- Findings that require a pre-authenticated, privileged user session to reproduce beyond what the user already has access to
What we publish #
Security advisories are posted on the trust page and emailed to the security mailing list. Post-mortems for any incident that affected customer data or availability are published within 14 days.
Change log #
| Version | Date | Change |
|---|---|---|
| 1.0 | 2026-04-25 | Initial publication. |