-
Notifications
You must be signed in to change notification settings - Fork 47
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update security page to reflect our status as CNA.
- Loading branch information
Showing
1 changed file
with
44 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -27,6 +27,45 @@ <h1>Security Information <i class="fas fa-lock"></i></h1> | |
vulnerabilities, and how fixes for security vulnerabilities are released. | ||
</p> | ||
|
||
<p> | ||
Please note that the PostgreSQL Project does not offer bug bounties. | ||
</p> | ||
|
||
<h2>CVE Numbering Authority</h2> | ||
|
||
<p> | ||
The PostgreSQL Project is a CVE Numbering Authority (CNA), working with Red Hat | ||
as our CNA Root. This allows us to assign our own CVE numbers and publish CVE | ||
records for PostgreSQL and closely related projects. | ||
</p> | ||
|
||
<p> | ||
We will currently assign CVE numbers for the following projects upon request to | ||
<a href="mailto:[email protected]">[email protected]</a>: | ||
</p> | ||
|
||
<ul> | ||
<li><a href="https://www.postgresql.org/">PostgreSQL</a></li> | ||
<li><a href="https://yum.postgresql.org/">PostgreSQL RPM packaging</a></li> | ||
<li><a href="https://apt.postgresql.org/">PostgreSQL DEB packaging</a></li> | ||
<li><a href="https://github.com/EnterpriseDB/edb-installers">PostgreSQL Windows/macOS installers (EDB)</a></li> | ||
<li><a href="https://jdbc.postgresql.org/">pgJDBC</a></li> | ||
<li><a href="https://odbc.postgresql.org/">psqlODBC</a></li> | ||
<li><a href="https://www.pgadmin.org/">pgAdmin</a></li> | ||
</ul> | ||
|
||
<p> | ||
Additional projects may request inclusion on the list above by emailing | ||
<a href="mailto:[email protected]">[email protected]</a>. | ||
</p> | ||
|
||
<p> | ||
<strong>NOTE:</strong> The security team will only assign CVEs to projects | ||
when requested by members of the project. If you think you've found a security | ||
issue in a project other than PostgreSQL or it's packages and installers, | ||
please contact the security team for that project. See below for more details. | ||
</p> | ||
|
||
<h2>What is a Security Vulnerability in PostgreSQL?</h2> | ||
|
||
<p> | ||
|
@@ -87,7 +126,11 @@ <h2>Reporting non-PostgreSQL Security Vulnerabilities</h2> | |
<a href="mailto:[email protected]">[email protected]</a>. | ||
</li> | ||
<li> | ||
If you wish to report a security vulnerability for an open source project in | ||
For security vulnerabilities in <a href="https://www.pgadmin.org/">pgAdmin</a>, | ||
please email <a href="mailto:[email protected]">[email protected]</a>. | ||
</li> | ||
<li> | ||
If you wish to report a security vulnerability for any other open source project in | ||
the PostgreSQL ecosystem (e.g. a driver, an extension, or an installer) and | ||
need a secure communication channel, please email | ||
<a href="mailto:[email protected]">[email protected]</a>. | ||
|
@@ -115,13 +158,6 @@ <h2>PostgreSQL Security Releases</h2> | |
PostgreSQL Security Team</strong>. | ||
</p> | ||
|
||
<p> | ||
The PostgreSQL Security Team does not file a CVE for vulnerabilities in | ||
PostgreSQL-related projects nor does it list those vulnerabilities in the | ||
section below. It is up to external project maintainers to register a CVE for | ||
a security vulnerability. | ||
</p> | ||
|
||
<h2>PostgreSQL Security Notifications</h2> | ||
|
||
<p> | ||
|