From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) by sourceware.org (Postfix) with ESMTPS id 44D5C3858C83 for ; Mon, 7 Feb 2022 20:07:45 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 44D5C3858C83 Received: by mail-pj1-x1029.google.com with SMTP id a11-20020a17090a740b00b001b8b506c42fso237021pjg.0 for ; Mon, 07 Feb 2022 12:07:45 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=m6hWekY9LMr8AvtxE5Q2KTJ9JaL3UtayWBjCe8FIG+Q=; b=Judq6cDHV/Ev39TMYDixYpfsijzJe0IAu0tzmrkeMCDwrcxidMOtlxegrCWxX2qzNL kP/NEJ7mQs5sgmTaCNHn8RI91QhQ+6fNOL4Y8n+OQ6mZ2u7rftGmIDvXzFY5sLUntXGf WYKdU41k7JYFfXft8mH+JODUNutu7+lIDtdGbCed3EE3Tihcc/5D1QLAoxY7mkG24HO8 LRqwkU1CJ5e7RVs4/Qub9zxaTODzzEWevLJnEorGP64prxhrigRefGWN9YaTzEmKwsCJ W6xK/0hi8/QnMPnJjkcKeFW/lzDuqe1yXt3www4czkECTT11TXt1CrCQR+DKYhnrmvUU 375g== X-Gm-Message-State: AOAM530yyQpQTD74L5mlOZULw1JdtgHaQz5P4QBdaY3vtUJ1g/uBvWsj DeYiKM77kkC6+jlJIXCts4fbqYH2aLcQu3rHNziZ9fss+t8= X-Google-Smtp-Source: ABdhPJxsbwDnZlzEgPcj/mdkB909vqjEcxJLpt2VNusLyQhBRhTe6Vnc4C9vxjwEUtgTl9HMPEcz6bsG04pCKsdD/jc= X-Received: by 2002:a17:903:18b:: with SMTP id z11mr1219020plg.47.1644264464412; Mon, 07 Feb 2022 12:07:44 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Reply-To: noloader@gmail.com From: Jeffrey Walton Date: Mon, 7 Feb 2022 15:07:33 -0500 Message-ID: Subject: Re: Vulnerability in your website To: Muhammad javad Cc: bzip2-devel@sourceware.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=1.9 required=5.0 tests=BAYES_50, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: bzip2-devel@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Bzip2-devel mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Feb 2022 20:07:47 -0000 On Mon, Feb 7, 2022 at 1:10 PM Muhammad javad via Bzip2-devel wrote: > > I found a vulnerability in your website and want to disclose it to you. > > Let me know if you have any active bug bounty program or is there any > compensation for reporting vulnerabilities? > > Looking forward to hearing from you Sourceware hosts the Bzip2 site. You should be able to reach the Adminstrative and Technical contacts via a WHOIS lookup. But it looks like they fail to publish the required information (this is an ICANN contractual requirement): $ whois sourceware.org | grep '@' Registrar Abuse Contact Email: registrar-abuse@google.com And I don't think registrar-abuse@google.com is who you want to contact. I also can't find a security contact while searching the sourceware site. Confer, https://www.sourceware.org/ and https://www.google.com/search?q=security+contact+site:sourceware.org. The page https://www.sourceware.org/suggestions.html offers sourcemaster@sourceware.org. Maybe it will work (?). Maybe try webmaster@sourceware.org, secure@sourceware.org or security@sourceware.org? They may be conforming to RFC2142. That's no way to run a railroad, as they say. Jeff