Thread: Any Update on Reported Vulnerability
Hi there, Team any update on the vulnerability report,I have reported a DMARC vulnerability on 2021-04-15, and its been a while kindlyupdate me about the vulnerability progress. I am also attaching the POC images again. I am hoping to receive a reward for the responsible disclosure of the vulnerability Kind regards White HaT
Attachment
On Fri, Apr 30, 2021 at 08:36:34PM +0300, arslan.whitehat@inbox.eu wrote: > Hi there, > Team any update on the vulnerability report,I have reported a DMARC vulnerability on 2021-04-15, and its been a while kindlyupdate me about the vulnerability progress. > I am also attaching the POC images again. > I am hoping to receive a reward for the responsible disclosure of the vulnerability We don't give rewards, and this is a public email list. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com If only the physical world exists, free will is an illusion.
On 30/04/2021 18:36, arslan.whitehat@inbox.eu wrote: > Hi there, Team any update on the vulnerability report,I have reported > a DMARC vulnerability on 2021-04-15, and its been a while kindly > update me about the vulnerability progress. I am also attaching the > POC images again. I am hoping to receive a reward for the responsible > disclosure of the vulnerability Kind regards White HaT There was a response at the time from a member of the relevant team, explaining that it wasn't actually a vulnerability - you'll find it in the archives. Ray. -- Raymond O'Donnell // Galway // Ireland ray@rodonnell.ie
On Tue, May 4, 2021 at 12:50:24AM +0300, M.Arslan Kabeer wrote: > Hi there, > Team kindly see that this is a P4 priority 4 vulnerability from this attack an > attacker can spam your users by send them email using your website official > email address, I have been rewarded 300$-350$ on this same vulnerability, > kindly some sort of reward would be much appreciated. I have found and reported > another vulnerability a critical one, kindly take a look. I now think we need to create a web page we can reference when people looking for recognition/money try reporting things like this. Obviously this reporting has attracted many unhelpful people and an official page might help them to ignore us. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com If only the physical world exists, free will is an illusion.
On 5/4/21 9:41 AM, Bruce Momjian wrote: > On Tue, May 4, 2021 at 12:50:24AM +0300, M.Arslan Kabeer wrote: >> Hi there, >> Team kindly see that this is a P4 priority 4 vulnerability from this attack an >> attacker can spam your users by send them email using your website official >> email address, I have been rewarded 300$-350$ on this same vulnerability, >> kindly some sort of reward would be much appreciated. I have found and reported >> another vulnerability a critical one, kindly take a look. > > I now think we need to create a web page we can reference when people > looking for recognition/money try reporting things like this. Obviously > this reporting has attracted many unhelpful people and an official page > might help them to ignore us. Maybe add a FAQ to the security page: https://www.postgresql.org/support/security/ (Actually looking at it, I'd like to make the "reporting an issue" directive at the top a bit more of a call out, given it is an important directive for actual vulnerability discoveries). Jonathan
Attachment
On Tue, May 4, 2021 at 09:44:50AM -0400, Jonathan Katz wrote: > On 5/4/21 9:41 AM, Bruce Momjian wrote: > > On Tue, May 4, 2021 at 12:50:24AM +0300, M.Arslan Kabeer wrote: > >> Hi there, > >> Team kindly see that this is a P4 priority 4 vulnerability from this attack an > >> attacker can spam your users by send them email using your website official > >> email address, I have been rewarded 300$-350$ on this same vulnerability, > >> kindly some sort of reward would be much appreciated. I have found and > reported > >> another vulnerability a critical one, kindly take a look. > > > > I now think we need to create a web page we can reference when people > > looking for recognition/money try reporting things like this. Obviously > > this reporting has attracted many unhelpful people and an official page > > might help them to ignore us. > > Maybe add a FAQ to the security page: > > https://www.postgresql.org/support/security/ > > (Actually looking at it, I'd like to make the "reporting an issue" > directive at the top a bit more of a call out, given it is an important > directive for actual vulnerability discoveries). Well, we don't have any FAQs there, so adding just one seems odd. I think we can put something in the top paragraph about the fact we don't pay bug/security bounties, and that Postgres is very complex and it is easy to misdiagnose expected behavior as a security problem. I think that last item needs more thought, but I think it is important since we wrestle with it regularly on the security email list. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com If only the physical world exists, free will is an illusion.
Sure. But please remember, we're an OSS project and don't pay for vulnerability reports. :) + Justin On 2021-05-06 06:51, M.Arslan Kabeer wrote: > Hi there, > Okay I understand can I report further vulnerabilities?