Any Update on Reported Vulnerability

Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Any Update on Reported Vulnerability

arslan.whitehat
Hi there,
Team any update on the vulnerability report,I have reported a DMARC vulnerability on 2021-04-15, and its been a while kindly update me about the vulnerability progress.
I am also attaching the POC images again.
I am hoping to receive a reward for the responsible disclosure of the vulnerability
Kind regards
White HaT

attachment0 (61K) Download Attachment
attachment1 (69K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Any Update on Reported Vulnerability

Bruce Momjian
On Fri, Apr 30, 2021 at 08:36:34PM +0300, [hidden email] wrote:
> Hi there,
> Team any update on the vulnerability report,I have reported a DMARC vulnerability on 2021-04-15, and its been a while kindly update me about the vulnerability progress.
> I am also attaching the POC images again.
> I am hoping to receive a reward for the responsible disclosure of the vulnerability

We don't give rewards, and this is a public email list.

--
  Bruce Momjian  <[hidden email]>        https://momjian.us
  EDB                                      https://enterprisedb.com

  If only the physical world exists, free will is an illusion.



Reply | Threaded
Open this post in threaded view
|

Re: Any Update on Reported Vulnerability

Ray O'Donnell
In reply to this post by arslan.whitehat
On 30/04/2021 18:36, [hidden email] wrote:
> Hi there, Team any update on the vulnerability report,I have reported
> a DMARC vulnerability on 2021-04-15, and its been a while kindly
> update me about the vulnerability progress. I am also attaching the
> POC images again. I am hoping to receive a reward for the responsible
> disclosure of the vulnerability Kind regards White HaT

There was a response at the time from a member of the relevant team,
explaining that it wasn't actually a vulnerability - you'll find it in
the archives.

Ray.

--
Raymond O'Donnell // Galway // Ireland
[hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Any Update on Reported Vulnerability

arslan.whitehat
Hi there,
Team kindly see that this is a P4 priority 4 vulnerability from this attack an attacker can spam your users by send them email using your website official email address, I have been rewarded 300$-350$ on this same vulnerability, kindly some sort of reward would be much appreciated. I have found and reported another vulnerability a critical one, kindly take a look.
Always Best Regards
White HaT
----- Reply to message -----
Subject: Re: Any Update on Reported Vulnerability
Date: Mon, 3 May 2021, 22:56
From: Ray O'Donnell [hidden email]
To: [hidden email]
On 30/04/2021 18:36, [hidden email] wrote:
> Hi there, Team any update on the vulnerability report,I have reported
> a DMARC vulnerability on 2021-04-15, and its been a while kindly
> update me about the vulnerability progress. I am also attaching the
> POC images again. I am hoping to receive a reward for the responsible
> disclosure of the vulnerability Kind regards White HaT

There was a response at the time from a member of the relevant team,
explaining that it wasn't actually a vulnerability - you'll find it in
the archives.

Ray.

--
Raymond O'Donnell // Galway // Ireland
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Any Update on Reported Vulnerability

Bruce Momjian
On Tue, May  4, 2021 at 12:50:24AM +0300, M.Arslan Kabeer wrote:
> Hi there,
> Team kindly see that this is a P4 priority 4 vulnerability from this attack an
> attacker can spam your users by send them email using your website official
> email address, I have been rewarded 300$-350$ on this same vulnerability,
> kindly some sort of reward would be much appreciated. I have found and reported
> another vulnerability a critical one, kindly take a look.

I now think we need to create a web page we can reference when people
looking for recognition/money try reporting things like this.  Obviously
this reporting has attracted many unhelpful people and an official page
might help them to ignore us.

--
  Bruce Momjian  <[hidden email]>        https://momjian.us
  EDB                                      https://enterprisedb.com

  If only the physical world exists, free will is an illusion.



Reply | Threaded
Open this post in threaded view
|

Re: Any Update on Reported Vulnerability

Jonathan S. Katz-3
On 5/4/21 9:41 AM, Bruce Momjian wrote:
> On Tue, May  4, 2021 at 12:50:24AM +0300, M.Arslan Kabeer wrote:
>> Hi there,
>> Team kindly see that this is a P4 priority 4 vulnerability from this attack an
>> attacker can spam your users by send them email using your website official
>> email address, I have been rewarded 300$-350$ on this same vulnerability,
>> kindly some sort of reward would be much appreciated. I have found and
reported
>> another vulnerability a critical one, kindly take a look.
>
> I now think we need to create a web page we can reference when people
> looking for recognition/money try reporting things like this.  Obviously
> this reporting has attracted many unhelpful people and an official page
> might help them to ignore us.

Maybe add a FAQ to the security page:

https://www.postgresql.org/support/security/

(Actually looking at it, I'd like to make the "reporting an issue"
directive at the top a bit more of a call out, given it is an important
directive for actual vulnerability discoveries).

Jonathan


OpenPGP_signature (855 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Any Update on Reported Vulnerability

Bruce Momjian
On Tue, May  4, 2021 at 09:44:50AM -0400, Jonathan Katz wrote:

> On 5/4/21 9:41 AM, Bruce Momjian wrote:
> > On Tue, May  4, 2021 at 12:50:24AM +0300, M.Arslan Kabeer wrote:
> >> Hi there,
> >> Team kindly see that this is a P4 priority 4 vulnerability from this attack an
> >> attacker can spam your users by send them email using your website official
> >> email address, I have been rewarded 300$-350$ on this same vulnerability,
> >> kindly some sort of reward would be much appreciated. I have found and
> reported
> >> another vulnerability a critical one, kindly take a look.
> >
> > I now think we need to create a web page we can reference when people
> > looking for recognition/money try reporting things like this.  Obviously
> > this reporting has attracted many unhelpful people and an official page
> > might help them to ignore us.
>
> Maybe add a FAQ to the security page:
>
> https://www.postgresql.org/support/security/
>
> (Actually looking at it, I'd like to make the "reporting an issue"
> directive at the top a bit more of a call out, given it is an important
> directive for actual vulnerability discoveries).

Well, we don't have any FAQs there, so adding just one seems odd.  I
think we can put something in the top paragraph about the fact we don't
pay bug/security bounties, and that Postgres is very complex and it is
easy to misdiagnose expected behavior as a security problem.  I think
that last item needs more thought, but I think it is important since we
wrestle with it regularly on the security email list.

--
  Bruce Momjian  <[hidden email]>        https://momjian.us
  EDB                                      https://enterprisedb.com

  If only the physical world exists, free will is an illusion.



Reply | Threaded
Open this post in threaded view
|

Re: Any Update on Reported Vulnerability

arslan.whitehat
Hi there,
Okay I understand can I report further vulnerabilities?
----- Reply to message -----
Subject: Re: Any Update on Reported Vulnerability
Date: Tue, 4 May 2021, 16:49
From: Bruce Momjian [hidden email]
To: Jonathan S. Katz [hidden email]
On Tue, May 4, 2021 at 09:44:50AM -0400, Jonathan Katz wrote:
> On 5/4/21 9:41 AM, Bruce Momjian wrote:
> > On Tue, May 4, 2021 at 12:50:24AM +0300, M.Arslan Kabeer wrote:
> >> Hi there,
> >> Team kindly see that this is a P4 priority 4 vulnerability from this attack an
> >> attacker can spam your users by send them email using your website official
> >> email address, I have been rewarded 300$-350$ on this same vulnerability,
> >> kindly some sort of reward would be much appreciated. I have found and
> reported
> >> another vulnerability a critical one, kindly take a look.
> >
> > I now think we need to create a web page we can reference when people
> > looking for recognition/money try reporting things like this. Obviously
> > this reporting has attracted many unhelpful people and an official page
> > might help them to ignore us.
>
> Maybe add a FAQ to the security page:
>
> https://www.postgresql.org/support/security/
>
> (Actually looking at it, I'd like to make the "reporting an issue"
> directive at the top a bit more of a call out, given it is an important
> directive for actual vulnerability discoveries).

Well, we don't have any FAQs there, so adding just one seems odd. I
think we can put something in the top paragraph about the fact we don't
pay bug/security bounties, and that Postgres is very complex and it is
easy to misdiagnose expected behavior as a security problem. I think
that last item needs more thought, but I think it is important since we
wrestle with it regularly on the security email list.

--
Bruce Momjian <[hidden email]> https://momjian.us
EDB https://enterprisedb.com

If only the physical world exists, free will is an illusion.
 
Reply | Threaded
Open this post in threaded view
|

Re: Any Update on Reported Vulnerability

Justin Clift-2
Sure.  But please remember, we're an OSS project and don't
pay for vulnerability reports. :)

+ Justin


On 2021-05-06 06:51, M.Arslan Kabeer wrote:
> Hi there,
> Okay I understand can I report further vulnerabilities?