Woodpecker CI Security Email Bouncing, Blocking Critical Vulnerability Disclosures

A critical security contact channel for the Woodpecker CI project is broken. A security researcher attempting to follow the project's official responsible disclosure policy found that emails to `[email protected]` are being rejected by the mail server with a "Refused by local policy. No SPAM please!" error. This failure blocks the primary, documented path for reporting vulnerabilities, leaving potential security flaws undisclosed and unpatched.

The issue was raised directly on the project's GitHub repository. The researcher explicitly referenced the project's SECURITY.md file and requested one of two immediate fixes: either repair the email forwarding for the `[email protected]` address or enable GitHub's Private Vulnerability Reporting feature for the repository. This feature provides a secure, alternative channel for confidential disclosure that bypasses broken email infrastructure. The researcher stated they have findings ready to share but cannot proceed due to the blocked communication.

This operational failure creates a direct security risk for Woodpecker CI and its users. A non-functional security contact point undermines the entire responsible disclosure process, potentially leaving vulnerabilities in the open-source CI/CD tool unexploited by attackers but also unaddressed by maintainers. The situation places public pressure on the project's administrators to swiftly restore a trusted reporting channel, either by fixing their email configuration or adopting GitHub's integrated security tools, to prevent a gap in their security posture.