<html>Hi there,<br />
Okay I understand can I report further vulnerabilities?
<div class="noTransl">----- Reply to message -----<br />
<b>Subject: </b>Re: Any Update on Reported Vulnerability<br />
<b>Date: </b>Tue, 4 May 2021, 16:49<br />
<b>From: </b> Bruce Momjian <a href="mailto:bruce(at)momjian(dot)us"><bruce(at)momjian(dot)us></a><br />
<b>To: </b> Jonathan S. Katz <a href="mailto:jkatz(at)postgresql(dot)org"><jkatz(at)postgresql(dot)org></a></div>
<blockquote>On Tue, May 4, 2021 at 09:44:50AM -0400, Jonathan Katz wrote:<br />
> On 5/4/21 9:41 AM, Bruce Momjian wrote:<br />
> > On Tue, May 4, 2021 at 12:50:24AM +0300, M.Arslan Kabeer wrote:<br />
> >> Hi there,<br />
> >> Team kindly see that this is a P4 priority 4 vulnerability from this attack an<br />
> >> attacker can spam your users by send them email using your website official<br />
> >> email address, I have been rewarded 300$-350$ on this same vulnerability,<br />
> >> kindly some sort of reward would be much appreciated. I have found and<br />
> reported<br />
> >> another vulnerability a critical one, kindly take a look.<br />
> ><br />
> > I now think we need to create a web page we can reference when people<br />
> > looking for recognition/money try reporting things like this. Obviously<br />
> > this reporting has attracted many unhelpful people and an official page<br />
> > might help them to ignore us.<br />
><br />
> Maybe add a FAQ to the security page:<br />
><br />
> <a href="https://www.postgresql.org/support/security/" target="_blank">https://www.postgresql.org/support/security/</a><br />
><br />
> (Actually looking at it, I'd like to make the "reporting an issue"<br />
> directive at the top a bit more of a call out, given it is an important<br />
> directive for actual vulnerability discoveries).<br />
<br />
Well, we don't have any FAQs there, so adding just one seems odd. I<br />
think we can put something in the top paragraph about the fact we don't<br />
pay bug/security bounties, and that Postgres is very complex and it is<br />
easy to misdiagnose expected behavior as a security problem. I think<br />
that last item needs more thought, but I think it is important since we<br />
wrestle with it regularly on the security email list.<br />
<br />
--<br />
Bruce Momjian <bruce(at)momjian(dot)us> <a href="https://momjian.us" target="_blank">https://momjian.us</a><br />
EDB <a href="https://enterprisedb.com" target="_blank">https://enterprisedb.com</a><br />
<br />
If only the physical world exists, free will is an illusion.<br />
</blockquote>
</html>