On Fri, Apr 20, 2018 at 6:28 PM, Steve Atkins <steve@blighty.com> wrote:
Somebody on IRC had a security issue they wanted to get to somebody.
Looking around the site I didn't find any mention of security@postgresql.org anywhere obvious. I knew what I was looking for, so found it via Support -> Bug Reporting -> bug reporting guidelines -> right down at the bottom of the manual page.
There used to be a link directly to security from the frontpage. It appears to have gone missing in the upgrade of the frontpage layout. I think we need to get that back ASAP, that's clearly something we missed in the review of the update.
The path right now would be Support -> Security (per the menu).
There's also a pretty high profile section on Support directing you directly to Security.
So there should be no need to go via Bug Reporting, though that one of course also works.
Might it be worth adding a section to /about/contact/ with either a pointer to security@postgresql.org or to a snippet of text taken from the "5.3 Where to Report Bugs" section of the manual?
Uh, it's already on /about/contact/?. It's the second thing on that page?
Separately, adding /security.txt and /.well-known/security.txt might be a good idea - while the RFC draft for it ( https://securitytxt.io ) isn't particularly mature, it is a place where infosec people will look. And it's basically a text file with a few urls and some human readable comments, so it's easy enough to create.
But once created has to be maintained. Does *anybody* actually use it yet? Every single one of my "let's pick a random domain and try that one" 404's on it. So I'm pretty sure it's not where people would look today. But yeah, it's something to keep an eye out for in the future.