Re: Any Update on Reported Vulnerability

On 5/4/21 9:41 AM, Bruce Momjian wrote:
> On Tue, May  4, 2021 at 12:50:24AM +0300, M.Arslan Kabeer wrote:
>> Hi there,
>> Team kindly see that this is a P4 priority 4 vulnerability from this attack an
>> attacker can spam your users by send them email using your website official
>> email address, I have been rewarded 300$-350$ on this same vulnerability,
>> kindly some sort of reward would be much appreciated. I have found and
reported
>> another vulnerability a critical one, kindly take a look.
>
> I now think we need to create a web page we can reference when people
> looking for recognition/money try reporting things like this.  Obviously
> this reporting has attracted many unhelpful people and an official page
> might help them to ignore us.

Maybe add a FAQ to the security page:

https://www.postgresql.org/support/security/

(Actually looking at it, I'd like to make the "reporting an issue"
directive at the top a bit more of a call out, given it is an important
directive for actual vulnerability discoveries).

Jonathan