Labatt (1700)
Community Discussion - Open
The PostgreSQL Security Team receives vulnerability reports, looks for similar defects, completes the fixes, and publishes CVE details. We're calling this session to hear your feedback on how we can do better. Questions to think about:
- When you compare the PostgreSQL vulnerability lifecycle to organizations that handle vulnerabilities better, what is different?
- When has a PostgreSQL vulnerability or vulnerability fix created unusual problems for you? What made it bad?
- Fixes appear in git on the Monday before the minor release. For coordinated vulnerability disclosure (CVD), we've discussed removing public access until the Thursday release. There would be a process to qualify for early access. What should we know about your use of git during release weeks?
- If making a new RDBMS, what would you avoid copying from the PostgreSQL security model?
