Re: Any Update on Reported Vulnerability

From: "M(dot)Arslan Kabeer" <arslan(dot)whitehat(at)inbox(dot)eu>
To: "Bruce Momjian" <bruce(at)momjian(dot)us>
Cc: "Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org>, "Ray O'Donnell" <ray(at)rodonnell(dot)ie>, pgsql-www(at)postgresql(dot)org
Subject: Re: Any Update on Reported Vulnerability
Date: 2021-05-05 20:51:55
Message-ID: 1620247915.6093056b18199@mail.inbox.eu
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-www

<html>Hi there,<br />
Okay I understand can I report further vulnerabilities?
<div class="noTransl">----- Reply to message -----<br />
<b>Subject: </b>Re: Any Update on Reported Vulnerability<br />
<b>Date: </b>Tue, 4 May 2021, 16:49<br />
<b>From: </b> Bruce Momjian <a href="mailto:bruce(at)momjian(dot)us">&lt;bruce(at)momjian(dot)us&gt;</a><br />
<b>To: </b> Jonathan S. Katz <a href="mailto:jkatz(at)postgresql(dot)org">&lt;jkatz(at)postgresql(dot)org&gt;</a></div>

<blockquote>On Tue, May 4, 2021 at 09:44:50AM -0400, Jonathan Katz wrote:<br />
&gt; On 5/4/21 9:41 AM, Bruce Momjian wrote:<br />
&gt; &gt; On Tue, May 4, 2021 at 12:50:24AM +0300, M.Arslan Kabeer wrote:<br />
&gt; &gt;&gt; Hi there,<br />
&gt; &gt;&gt; Team kindly see that this is a P4 priority 4 vulnerability from this attack an<br />
&gt; &gt;&gt; attacker can spam your users by send them email using your website official<br />
&gt; &gt;&gt; email address, I have been rewarded 300$-350$ on this same vulnerability,<br />
&gt; &gt;&gt; kindly some sort of reward would be much appreciated. I have found and<br />
&gt; reported<br />
&gt; &gt;&gt; another vulnerability a critical one, kindly take a look.<br />
&gt; &gt;<br />
&gt; &gt; I now think we need to create a web page we can reference when people<br />
&gt; &gt; looking for recognition/money try reporting things like this. Obviously<br />
&gt; &gt; this reporting has attracted many unhelpful people and an official page<br />
&gt; &gt; might help them to ignore us.<br />
&gt;<br />
&gt; Maybe add a FAQ to the security page:<br />
&gt;<br />
&gt; <a href="https://www.postgresql.org/support/security/" target="_blank">https://www.postgresql.org/support/security/</a><br />
&gt;<br />
&gt; (Actually looking at it, I&#39;d like to make the &quot;reporting an issue&quot;<br />
&gt; directive at the top a bit more of a call out, given it is an important<br />
&gt; directive for actual vulnerability discoveries).<br />
<br />
Well, we don&#39;t have any FAQs there, so adding just one seems odd. I<br />
think we can put something in the top paragraph about the fact we don&#39;t<br />
pay bug/security bounties, and that Postgres is very complex and it is<br />
easy to misdiagnose expected behavior as a security problem. I think<br />
that last item needs more thought, but I think it is important since we<br />
wrestle with it regularly on the security email list.<br />
<br />
--<br />
Bruce Momjian &lt;bruce(at)momjian(dot)us&gt; <a href="https://momjian.us" target="_blank">https://momjian.us</a><br />
EDB <a href="https://enterprisedb.com" target="_blank">https://enterprisedb.com</a><br />
<br />
If only the physical world exists, free will is an illusion.<br />
&nbsp;</blockquote>
</html>

Attachment Content-Type Size
unknown_filename text/html 2.7 KB

In response to

Responses

Browse pgsql-www by date

  From Date Subject
Next Message Justin Clift 2021-05-06 14:10:57 Re: Any Update on Reported Vulnerability
Previous Message Sehrope Sarkuni 2021-05-04 21:48:48 Re: Add versions.json endpoint with latest release information