| From: | "Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org> |
|---|---|
| To: | Bruce Momjian <bruce(at)momjian(dot)us>, "M(dot)Arslan Kabeer" <arslan(dot)whitehat(at)inbox(dot)eu> |
| Cc: | Ray O'Donnell <ray(at)rodonnell(dot)ie>, pgsql-www(at)postgresql(dot)org |
| Subject: | Re: Any Update on Reported Vulnerability |
| Date: | 2021-05-04 13:44:50 |
| Message-ID: | ceae2cb1-8aa5-9705-de27-9d9106ac2685@postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
On 5/4/21 9:41 AM, Bruce Momjian wrote:
> On Tue, May 4, 2021 at 12:50:24AM +0300, M.Arslan Kabeer wrote:
>> Hi there,
>> Team kindly see that this is a P4 priority 4 vulnerability from this attack an
>> attacker can spam your users by send them email using your website official
>> email address, I have been rewarded 300$-350$ on this same vulnerability,
>> kindly some sort of reward would be much appreciated. I have found and
reported
>> another vulnerability a critical one, kindly take a look.
>
> I now think we need to create a web page we can reference when people
> looking for recognition/money try reporting things like this. Obviously
> this reporting has attracted many unhelpful people and an official page
> might help them to ignore us.
Maybe add a FAQ to the security page:
https://www.postgresql.org/support/security/
(Actually looking at it, I'd like to make the "reporting an issue"
directive at the top a bit more of a call out, given it is an important
directive for actual vulnerability discoveries).
Jonathan
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2021-05-04 13:49:35 | Re: Any Update on Reported Vulnerability |
| Previous Message | Bruce Momjian | 2021-05-04 13:41:12 | Re: Any Update on Reported Vulnerability |