Re: Any Update on Reported Vulnerability

On Tue, May  4, 2021 at 09:44:50AM -0400, Jonathan Katz wrote:
> On 5/4/21 9:41 AM, Bruce Momjian wrote:
> > On Tue, May  4, 2021 at 12:50:24AM +0300, M.Arslan Kabeer wrote:
> >> Hi there,
> >> Team kindly see that this is a P4 priority 4 vulnerability from this attack an
> >> attacker can spam your users by send them email using your website official
> >> email address, I have been rewarded 300$-350$ on this same vulnerability,
> >> kindly some sort of reward would be much appreciated. I have found and 
> reported
> >> another vulnerability a critical one, kindly take a look.
> > 
> > I now think we need to create a web page we can reference when people
> > looking for recognition/money try reporting things like this.  Obviously
> > this reporting has attracted many unhelpful people and an official page
> > might help them to ignore us.
> 
> Maybe add a FAQ to the security page:
> 
> https://www.postgresql.org/support/security/
> 
> (Actually looking at it, I'd like to make the "reporting an issue"
> directive at the top a bit more of a call out, given it is an important
> directive for actual vulnerability discoveries).

Well, we don't have any FAQs there, so adding just one seems odd.  I
think we can put something in the top paragraph about the fact we don't
pay bug/security bounties, and that Postgres is very complex and it is
easy to misdiagnose expected behavior as a security problem.  I think
that last item needs more thought, but I think it is important since we
wrestle with it regularly on the security email list.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  If only the physical world exists, free will is an illusion.