diff --git a/templates/security/security.html b/templates/security/security.html index 38d29bc5..0994f843 100644 --- a/templates/security/security.html +++ b/templates/security/security.html @@ -27,6 +27,45 @@

Security Information

vulnerabilities, and how fixes for security vulnerabilities are released.

+

+ Please note that the PostgreSQL Project does not offer bug bounties. +

+ +

CVE Numbering Authority

+ +

+ The PostgreSQL Project is a CVE Numbering Authority (CNA), working with Red Hat + as our CNA Root. This allows us to assign our own CVE numbers and publish CVE + records for PostgreSQL and closely related projects. +

+ +

+ We will currently assign CVE numbers for the following projects upon request to + cna@postgresql.org: +

+ + + +

+ Additional projects may request inclusion on the list above by emailing + cna@postgresql.org. +

+ +

+ NOTE: The security team will only assign CVEs to projects + when requested by members of the project. If you think you've found a security + issue in a project other than PostgreSQL or it's packages and installers, + please contact the security team for that project. See below for more details. +

+

What is a Security Vulnerability in PostgreSQL?

@@ -87,7 +126,11 @@

Reporting non-PostgreSQL Security Vulnerabilities

pgsql-jdbc-security@lists.postgresql.org.
  • - If you wish to report a security vulnerability for an open source project in + For security vulnerabilities in pgAdmin, + please email security@pgadmin.org. +
  • +
  • + If you wish to report a security vulnerability for any other open source project in the PostgreSQL ecosystem (e.g. a driver, an extension, or an installer) and need a secure communication channel, please email security@postgresql.org. @@ -115,13 +158,6 @@

    PostgreSQL Security Releases

    PostgreSQL Security Team.

    -

    - The PostgreSQL Security Team does not file a CVE for vulnerabilities in - PostgreSQL-related projects nor does it list those vulnerabilities in the - section below. It is up to external project maintainers to register a CVE for - a security vulnerability. -

    -

    PostgreSQL Security Notifications