Thread: Any Update on Reported Vulnerability

Any Update on Reported Vulnerability

From
arslan.whitehat@inbox.eu
Date:
Hi there,
Team any update on the vulnerability report,I have reported a DMARC vulnerability on 2021-04-15, and its been a while
kindlyupdate me about the vulnerability progress.
 
I am also attaching the POC images again.
I am hoping to receive a reward for the responsible disclosure of the vulnerability
Kind regards
White HaT
Attachment

Re: Any Update on Reported Vulnerability

From
Bruce Momjian
Date:
On Fri, Apr 30, 2021 at 08:36:34PM +0300, arslan.whitehat@inbox.eu wrote:
> Hi there,
> Team any update on the vulnerability report,I have reported a DMARC vulnerability on 2021-04-15, and its been a while
kindlyupdate me about the vulnerability progress.
 
> I am also attaching the POC images again.
> I am hoping to receive a reward for the responsible disclosure of the vulnerability

We don't give rewards, and this is a public email list.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  If only the physical world exists, free will is an illusion.




Re: Any Update on Reported Vulnerability

From
Ray O'Donnell
Date:
On 30/04/2021 18:36, arslan.whitehat@inbox.eu wrote:
> Hi there, Team any update on the vulnerability report,I have reported
> a DMARC vulnerability on 2021-04-15, and its been a while kindly
> update me about the vulnerability progress. I am also attaching the
> POC images again. I am hoping to receive a reward for the responsible
> disclosure of the vulnerability Kind regards White HaT

There was a response at the time from a member of the relevant team, 
explaining that it wasn't actually a vulnerability - you'll find it in 
the archives.

Ray.

-- 
Raymond O'Donnell // Galway // Ireland
ray@rodonnell.ie



Re: Any Update on Reported Vulnerability

From
Bruce Momjian
Date:
On Tue, May  4, 2021 at 12:50:24AM +0300, M.Arslan Kabeer wrote:
> Hi there,
> Team kindly see that this is a P4 priority 4 vulnerability from this attack an
> attacker can spam your users by send them email using your website official
> email address, I have been rewarded 300$-350$ on this same vulnerability,
> kindly some sort of reward would be much appreciated. I have found and reported
> another vulnerability a critical one, kindly take a look.

I now think we need to create a web page we can reference when people
looking for recognition/money try reporting things like this.  Obviously
this reporting has attracted many unhelpful people and an official page
might help them to ignore us.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  If only the physical world exists, free will is an illusion.




Re: Any Update on Reported Vulnerability

From
"Jonathan S. Katz"
Date:
On 5/4/21 9:41 AM, Bruce Momjian wrote:
> On Tue, May  4, 2021 at 12:50:24AM +0300, M.Arslan Kabeer wrote:
>> Hi there,
>> Team kindly see that this is a P4 priority 4 vulnerability from this attack an
>> attacker can spam your users by send them email using your website official
>> email address, I have been rewarded 300$-350$ on this same vulnerability,
>> kindly some sort of reward would be much appreciated. I have found and
reported
>> another vulnerability a critical one, kindly take a look.
>
> I now think we need to create a web page we can reference when people
> looking for recognition/money try reporting things like this.  Obviously
> this reporting has attracted many unhelpful people and an official page
> might help them to ignore us.

Maybe add a FAQ to the security page:

https://www.postgresql.org/support/security/

(Actually looking at it, I'd like to make the "reporting an issue"
directive at the top a bit more of a call out, given it is an important
directive for actual vulnerability discoveries).

Jonathan


Attachment

Re: Any Update on Reported Vulnerability

From
Bruce Momjian
Date:
On Tue, May  4, 2021 at 09:44:50AM -0400, Jonathan Katz wrote:
> On 5/4/21 9:41 AM, Bruce Momjian wrote:
> > On Tue, May  4, 2021 at 12:50:24AM +0300, M.Arslan Kabeer wrote:
> >> Hi there,
> >> Team kindly see that this is a P4 priority 4 vulnerability from this attack an
> >> attacker can spam your users by send them email using your website official
> >> email address, I have been rewarded 300$-350$ on this same vulnerability,
> >> kindly some sort of reward would be much appreciated. I have found and 
> reported
> >> another vulnerability a critical one, kindly take a look.
> > 
> > I now think we need to create a web page we can reference when people
> > looking for recognition/money try reporting things like this.  Obviously
> > this reporting has attracted many unhelpful people and an official page
> > might help them to ignore us.
> 
> Maybe add a FAQ to the security page:
> 
> https://www.postgresql.org/support/security/
> 
> (Actually looking at it, I'd like to make the "reporting an issue"
> directive at the top a bit more of a call out, given it is an important
> directive for actual vulnerability discoveries).

Well, we don't have any FAQs there, so adding just one seems odd.  I
think we can put something in the top paragraph about the fact we don't
pay bug/security bounties, and that Postgres is very complex and it is
easy to misdiagnose expected behavior as a security problem.  I think
that last item needs more thought, but I think it is important since we
wrestle with it regularly on the security email list.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  If only the physical world exists, free will is an illusion.




Re: Any Update on Reported Vulnerability

From
Justin Clift
Date:
Sure.  But please remember, we're an OSS project and don't
pay for vulnerability reports. :)

+ Justin


On 2021-05-06 06:51, M.Arslan Kabeer wrote:
> Hi there,
> Okay I understand can I report further vulnerabilities?