Skip to content
codebahn docs

Vulnerability disclosure

If you find a security vulnerability in Codebahn, we want to hear about it.

Scope

Section titled “Scope”

This policy covers the Codebahn service and infrastructure operated by Hackerman AB:

  • codebahn.net (the Forgejo instance, API, and Git endpoints)
  • docs.codebahn.net (the documentation site)
  • CI runner infrastructure (provisioning, networking, isolation)
  • The Codebahn CLI and MCP server (codebahn-mcp)

Out of scope:

  • Upstream Forgejo vulnerabilities. Report those to the Forgejo security team. If you are unsure whether a bug is upstream or Codebahn-specific, report it to us and we will triage.
  • Third-party services (Scaleway, Hetzner, Mollie, Crisp). Report to those vendors directly.
  • Social engineering, phishing, or physical attacks.

How to report

Section titled “How to report”

Email security@codebahn.net with:

  1. A description of the vulnerability.
  2. Steps to reproduce or a proof of concept.
  3. The affected component (web UI, API, Git, CI, infrastructure).
  4. Your assessment of severity and impact.

Encrypt your report if you prefer. Request our PGP key at the same address.

Do not open a public issue or pull request for security vulnerabilities.

What to expect

Section titled “What to expect”
Step Timeline
Acknowledgement Within 2 business days
Initial assessment and severity classification Within 5 business days
Status update with fix timeline Within 10 business days
Fix deployed (critical/high) As fast as possible, target within 7 days
Fix deployed (medium/low) Within 30 days

We will keep you informed as we work on a fix. If we need more information, we will ask.

Safe harbor

Section titled “Safe harbor”

If you act in good faith and follow this policy, we will not pursue legal action against you. Good faith means:

  • You do not access, modify, or delete data belonging to other users.
  • You do not degrade the service for other users (no denial of service, no load testing without permission).
  • You stop testing and report promptly once you have enough information to demonstrate the vulnerability.
  • You give us reasonable time to fix the issue before any public disclosure.

Disclosure

Section titled “Disclosure”

We coordinate disclosure with the reporter. Once a fix is deployed, we will credit you in the disclosure (unless you prefer to remain anonymous). We aim to publish a brief advisory for any vulnerability with user-facing impact.

Forgejo upstream

Section titled “Forgejo upstream”

Codebahn is built on Forgejo. Vulnerabilities in upstream Forgejo code should be reported to the Forgejo project per their security policy. If you report an upstream issue to us, we will forward it to the Forgejo security team and coordinate with them.