Skip to content

Commit

Permalink
Update security page to reflect our status as CNA.
Browse files Browse the repository at this point in the history
  • Loading branch information
dpage authored and mhagander committed Oct 15, 2023
1 parent 3929dad commit 8b4c816
Showing 1 changed file with 44 additions and 8 deletions.
52 changes: 44 additions & 8 deletions templates/security/security.html
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,45 @@ <h1>Security Information <i class="fas fa-lock"></i></h1>
vulnerabilities, and how fixes for security vulnerabilities are released.
</p>

<p>
Please note that the PostgreSQL Project does not offer bug bounties.
</p>

<h2>CVE Numbering Authority</h2>

<p>
The PostgreSQL Project is a CVE Numbering Authority (CNA), working with Red Hat
as our CNA Root. This allows us to assign our own CVE numbers and publish CVE
records for PostgreSQL and closely related projects.
</p>

<p>
We will currently assign CVE numbers for the following projects upon request to
<a href="mailto:[email protected]">[email protected]</a>:
</p>

<ul>
<li><a href="https://www.postgresql.org/">PostgreSQL</a></li>
<li><a href="https://yum.postgresql.org/">PostgreSQL RPM packaging</a></li>
<li><a href="https://apt.postgresql.org/">PostgreSQL DEB packaging</a></li>
<li><a href="https://github.com/EnterpriseDB/edb-installers">PostgreSQL Windows/macOS installers (EDB)</a></li>
<li><a href="https://jdbc.postgresql.org/">pgJDBC</a></li>
<li><a href="https://odbc.postgresql.org/">psqlODBC</a></li>
<li><a href="https://www.pgadmin.org/">pgAdmin</a></li>
</ul>

<p>
Additional projects may request inclusion on the list above by emailing
<a href="mailto:[email protected]">[email protected]</a>.
</p>

<p>
<strong>NOTE:</strong> The security team will only assign CVEs to projects
when requested by members of the project. If you think you've found a security
issue in a project other than PostgreSQL or it's packages and installers,
please contact the security team for that project. See below for more details.
</p>

<h2>What is a Security Vulnerability in PostgreSQL?</h2>

<p>
Expand Down Expand Up @@ -87,7 +126,11 @@ <h2>Reporting non-PostgreSQL Security Vulnerabilities</h2>
<a href="mailto:[email protected]">[email protected]</a>.
</li>
<li>
If you wish to report a security vulnerability for an open source project in
For security vulnerabilities in <a href="https://www.pgadmin.org/">pgAdmin</a>,
please email <a href="mailto:[email protected]">[email protected]</a>.
</li>
<li>
If you wish to report a security vulnerability for any other open source project in
the PostgreSQL ecosystem (e.g. a driver, an extension, or an installer) and
need a secure communication channel, please email
<a href="mailto:[email protected]">[email protected]</a>.
Expand Down Expand Up @@ -115,13 +158,6 @@ <h2>PostgreSQL Security Releases</h2>
PostgreSQL Security Team</strong>.
</p>

<p>
The PostgreSQL Security Team does not file a CVE for vulnerabilities in
PostgreSQL-related projects nor does it list those vulnerabilities in the
section below. It is up to external project maintainers to register a CVE for
a security vulnerability.
</p>

<h2>PostgreSQL Security Notifications</h2>

<p>
Expand Down

0 comments on commit 8b4c816

Please sign in to comment.