Re: Security contacts

On Fri, Apr 20, 2018 at 6:28 PM, Steve Atkins <steve(at)blighty(dot)com> wrote:

> Somebody on IRC had a security issue they wanted to get to somebody.
>
> Looking around the site I didn't find any mention of
> security(at)postgresql(dot)org anywhere obvious. I knew what I was looking for,
> so found it via Support -> Bug Reporting -> bug reporting guidelines ->
> right down at the bottom of the manual page.
>

There used to be a link directly to security from the frontpage. It appears
to have gone missing in the upgrade of the frontpage layout. I think we
need to get that back ASAP, that's clearly something we missed in the
review of the update.

The path right now would be Support -> Security (per the menu).
There's also a pretty high profile section on Support directing you
directly to Security.

So there should be no need to go via Bug Reporting, though that one of
course also works.

Might it be worth adding a section to /about/contact/ with either a pointer
> to security(at)postgresql(dot)org or to a snippet of text taken from the "5.3
> Where to Report Bugs" section of the manual?
>

Uh, it's already on /about/contact/?. It's the second thing on that page?

Separately, adding /security.txt and /.well-known/security.txt might be a
> good idea - while the RFC draft for it ( https://securitytxt.io ) isn't
> particularly mature, it is a place where infosec people will look. And it's
> basically a text file with a few urls and some human readable comments, so
> it's easy enough to create.
>

But once created has to be maintained. Does *anybody* actually use it yet?
Every single one of my "let's pick a random domain and try that one" 404's
on it. So I'm pretty sure it's not where people would look today. But yeah,
it's something to keep an eye out for in the future.

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>