On 5/4/21 9:41 AM, Bruce Momjian wrote:
> On Tue, May 4, 2021 at 12:50:24AM +0300, M.Arslan Kabeer wrote:
>> Hi there,
>> Team kindly see that this is a P4 priority 4 vulnerability from this attack an
>> attacker can spam your users by send them email using your website official
>> email address, I have been rewarded 300$-350$ on this same vulnerability,
>> kindly some sort of reward would be much appreciated. I have found and
reported
>> another vulnerability a critical one, kindly take a look.
>
> I now think we need to create a web page we can reference when people
> looking for recognition/money try reporting things like this. Obviously
> this reporting has attracted many unhelpful people and an official page
> might help them to ignore us.
Maybe add a FAQ to the security page:
https://www.postgresql.org/support/security/
(Actually looking at it, I'd like to make the "reporting an issue"
directive at the top a bit more of a call out, given it is an important
directive for actual vulnerability discoveries).
Jonathan