Skip to main content
Private preview. fremforge is in private preview — invited customers only. Content is still subject to change. Request access →
Security
Vulnerability disclosure

Vulnerability disclosure policy

If you’ve found a security issue in fremforge, this page tells you how to report it, what’s in scope, what isn’t, and what we promise back. We follow ISO/IEC 29147 (vulnerability disclosure) and RFC 9116 (security.txt).

The machine-readable counterpart of this page lives at /.well-known/security.txt on every fremforge-operated domain. Researchers and automated tools should consume that endpoint; this page exists for humans reading from a search result.

How to report

  • Email: security@frem.sh (PGP key fingerprint listed in security.txt).
  • Preferred channel: encrypted email. Plain email is accepted; SMTP TLS to mailbox.org is mandatory at delivery.
  • Acknowledge target: within 72 hours, business days.
  • Triage target: within 5 business days we send you our severity assessment, expected fix window, and a tracking reference.

Please do not open public issues on frem.sh or post details on social/forum until we’ve coordinated a disclosure date.

What’s in scope

  • frem.sh and every subdomain we operate (*.frem.sh).
  • fremverk.com and *.fremverk.com.
  • Container images we publish under swr.eu-de.otc.t-systems.com/fremforge-prd/*.
  • Issues in the fremforge customer-facing API, admin UI, or runner controller.

What’s out of scope (and won’t be rewarded)

  • Findings in customer-owned content — code, secrets, files inside tenant repos. Report those to the tenant directly; that’s a customer-side incident.
  • Vulnerabilities in our upstream open-source dependencies (e.g. a CVE in forgejo itself). Please report those to the upstream project’s disclosure programme. We do track and patch them once a CVE is public.
  • Issues requiring physical access, social engineering of fremverk staff, or third-party services on the same network as fremforge users.
  • Reports based on outdated information (e.g. a screenshot of an old admin page from before a public migration).
  • “Best practice” findings without an exploitable scenario (e.g. “you should add X header”) — useful, but not a vulnerability.
  • DDoS, brute-force, or rate-limit-bypass reports. These are infrastructure tuning, not security flaws.

Severity SLAs

The clock starts at our acknowledgement.

SeverityFirst fix or mitigationPublic disclosure
Critical (CVSS 9.0–10.0)24 hours30 days after fix
High (CVSS 7.0–8.9)7 days60 days after fix
Medium (CVSS 4.0–6.9)30 days90 days after fix
Low (CVSS 0.1–3.9)90 daysbest-effort

Disclosure schedules can be extended by mutual agreement (e.g. when the fix requires customer action that takes time).

Safe-harbour

We will not pursue civil or criminal action against you, nor file complaints, when your research is conducted in good faith and you:

  • Do not access, modify, or delete data that doesn’t belong to you. Use test accounts wherever possible.
  • Do not degrade service for other users — no DoS, no high-volume scanning, no automated brute-force.
  • Do not exfiltrate more data than necessary to demonstrate impact. A few bytes is enough; we don’t need the database.
  • Report the issue privately through security@frem.sh and give us a reasonable window to fix before going public.
  • Comply with applicable law in the jurisdiction you’re operating from.

Research conducted in good faith under those terms is authorised under the Computer Misuse Act 1990 §17(5)(c) (UK), the Computer Fraud and Abuse Act 18 U.S.C. §1030(f) “research” exception (where applicable), and the equivalents in EU member states. Where local law requires explicit authorisation, this page constitutes that authorisation.

Bounty programme

We do not currently run a paid bounty programme. We do maintain a public hall-of-fame for researchers who report verified issues and consent to be named, and we send a fremverk-branded thank-you pack (tee, pin, sticker set) for any report we ship a fix for.

We expect to formalise a paid programme once fremforge crosses the customer threshold where it makes sense for both sides — currently scoped for 2026 H2.

Public disclosure history

When we ship a fix for a reported issue, we publish a short post-mortem on the status page with credit to the reporter (where consented). A dedicated advisories index lives at this URL post-launch.

See also

  • security.txt — the machine-readable version of this page.
  • Audit chain integrity — relevant context for “the audit log can’t be replayed by anyone” reports.
  • SIEM forwarding — relevant context for “the customer can’t see the event” reports.
BoM