Re: Any Update on Reported Vulnerability

On Tue, May 4, 2021 at 09:44:50AM -0400, Jonathan Katz wrote:
> On 5/4/21 9:41 AM, Bruce Momjian wrote:
> > On Tue, May 4, 2021 at 12:50:24AM +0300, M.Arslan Kabeer wrote:
> >> Hi there,
> >> Team kindly see that this is a P4 priority 4 vulnerability from this attack an
> >> attacker can spam your users by send them email using your website official
> >> email address, I have been rewarded 300$-350$ on this same vulnerability,
> >> kindly some sort of reward would be much appreciated. I have found and
> reported
> >> another vulnerability a critical one, kindly take a look.
> >
> > I now think we need to create a web page we can reference when people
> > looking for recognition/money try reporting things like this. Obviously
> > this reporting has attracted many unhelpful people and an official page
> > might help them to ignore us.
>
> Maybe add a FAQ to the security page:
>
> https://www.postgresql.org/support/security/
>
> (Actually looking at it, I'd like to make the "reporting an issue"
> directive at the top a bit more of a call out, given it is an important
> directive for actual vulnerability discoveries).

Well, we don't have any FAQs there, so adding just one seems odd. I
think we can put something in the top paragraph about the fact we don't
pay bug/security bounties, and that Postgres is very complex and it is
easy to misdiagnose expected behavior as a security problem. I think
that last item needs more thought, but I think it is important since we
wrestle with it regularly on the security email list.

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com

If only the physical world exists, free will is an illusion.