Re: [pgsql-advocacy] MySQL worm attacks Windows servers

Peter Eisentraut <peter_e@gmx.net> writes:
> Dawid Kuroczko wrote:
>> I think it is in good taste that when you find a
>> bug/vulnerability/etc first you contact the author (in this case:
>> core), leave them some time to fix the problem and then go on
>> announcing it to the
>> world.

> In this case, core is not the author of the object in question.  And of
> course, to report a "bug/vulnerability/etc" you would write to
> pgsql-bugs, not core.

Josh's point is that if you don't want to publicize a vulnerability
to the entire world in advance of there being any chance to fix it,
you don't send your report to an open, publicly-archived bugs list.

We don't really have an official security contact.  The next best thing
is to send such reports to pgsql-core, which is not an open list, but
will reach a good chunk of those with an interest in fixing such
problems.

            regards, tom lane