Peter Eisentraut <peter_e@xxxxxxx> writes: > Dawid Kuroczko wrote: >> I think it is in good taste that when you find a >> bug/vulnerability/etc first you contact the author (in this case: >> core), leave them some time to fix the problem and then go on >> announcing it to the >> world. > In this case, core is not the author of the object in question. And of > course, to report a "bug/vulnerability/etc" you would write to > pgsql-bugs, not core. Josh's point is that if you don't want to publicize a vulnerability to the entire world in advance of there being any chance to fix it, you don't send your report to an open, publicly-archived bugs list. We don't really have an official security contact. The next best thing is to send such reports to pgsql-core, which is not an open list, but will reach a good chunk of those with an interest in fixing such problems. regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to majordomo@xxxxxxxxxxxxxx
