Open nobuto-m opened 1 month ago
I filed it under https://bugs.launchpad.net/postgresql-charm/+bug/2076956 for the time being.
Hi @nobuto-m , we have placed this information under the Contact form: https://charmhub.io/postgresql/docs/r-contacts
Report security issues through Launchpad
It is to involve Canonical Security Team, to avoid early leaking and proper CVE handling when necessary.
We will keep this opened to handle the report https://bugs.launchpad.net/postgresql-charm/+bug/2076956 CC: @marceloneppel , @dragomirp , consider to set password (and maybe listen admin on localhost only). Thank you for helping us making our charm better!
Hi @nobuto-m , we have placed this information under the Contact form: https://charmhub.io/postgresql/docs/r-contacts
Report security issues through Launchpad
It is to involve Canonical Security Team, to avoid early leaking and proper CVE handling when necessary.
That's the exact point of this issue. The linked page states the following.
How to File
New security bugs should be created in the Ubuntu bug tracker (Launchpad). If you do not have a Launchpad account and prefer not to create one, you may send your report to security@ubuntu.com. We also accept GPG-encrypted mail.
To report a security vulnerability in an Ubuntu package, follow the regular bug-filing instructions, but take special note of the "Mark as security issue" check box near the bottom of the form:
And to report a security issue in Launchpad, this project has to be tracked in Launchpad. Because it's not about Ubuntu packages or anything like that.
https://github.com/canonical/postgresql-operator/blob/602d9bc61010cdf5898eaa8069583b225b192fa6/README.md#L152-L153
The README suggests not to use this Github repository for reporting security issues. However, there is no information what exact Launchpad project to use for such a report.