firebird icon indicating copy to clipboard operation
firebird copied to clipboard
verified publisher icon FirebirdSQL

PSIRT contact inquiry

Open zdi-disclosures opened this issue 9 months ago • 7 comments

Hello,

Trend Micro's Zero Day Initiative is a security/vulnerability research organization. We have discovered a vulnerability in Firebird SQL Database Server and we would like to disclose it responsibly to your company. To do so, we would need an email address and PGP key for your secure team/PSIRT/or other appropriate contact.

If you don´t use PGP or you are happy with us submitting the cases without encryption, just let us know.

If we are unable to contact you after 15 days, we reserve the right to publish this vulnerability in accordance with our Disclosure Policy, which you can read here: https://www.zerodayinitiative.com/advisories/disclosure_policy/

Thank you and best regards, Kholoud Altookhy Program Manager, Zero Day Initiative Trend Micro [email protected]

zdi-disclosures avatar Mar 18 '25 23:03 zdi-disclosures

I'm not sure if anyone has responded privately yet, but I've asked in our admin group to be sure.

mrotteveel avatar Mar 20 '25 08:03 mrotteveel

Great that you've done it - now I've responded.

AlexPeshkoff avatar Mar 20 '25 11:03 AlexPeshkoff

@AlexPeshkoff @mrotteveel we didn't hear back from Firebird. do you have any updates?

zdi-disclosures avatar Apr 30 '25 13:04 zdi-disclosures

I've replied to [email protected]. Repeat that email here:

Hello Kholoud!

I'm Alex Peshkoff, I'm responsible for security issues with firebird server, including vulnerabilities fixing. Please provide details regarding discovered vulnerability (https://github.com/FirebirdSQL/firebird/issues/8480) here in unencrypted form.

Alex.

EMail was sent from [email protected]. Confirm once again - will be glad to fix found issues. Feel free to send them to [email protected]

AlexPeshkoff avatar Apr 30 '25 13:04 AlexPeshkoff

@AlexPeshkoff We have submitted the report to [email protected], would you please acknowledge that you received it?

zdi-disclosures avatar May 02 '25 22:05 zdi-disclosures

Thank you - received.

AlexPeshkoff avatar May 05 '25 06:05 AlexPeshkoff

@zdi-disclosures Thank you for reported vulnerability, tomorrow snapshots will be free of the bug.

We typically publish security advisory a few months after releases of all affected versions - in this case it's all supported firebird versions, cause bug came from pre-firebird times. This lets users upgrade without unneeded hurry. Can you also delay disclosure of vulnerability? If yes what's the best way to inform you that it's time for disclosure?

AlexPeshkoff avatar May 05 '25 16:05 AlexPeshkoff

Hello @AlexPeshkoff ,

We can wait till August 30, 2025. Please inform us once the advisory is ready to disclose it at our end

zdi-disclosures avatar Aug 06 '25 16:08 zdi-disclosures

Hello, I will publish it August 15, 2025 and notify you once again.

AlexPeshkoff avatar Aug 08 '25 09:08 AlexPeshkoff

GitHub advisories are published.

AlexPeshkoff avatar Aug 15 '25 13:08 AlexPeshkoff

@AlexPeshkoff would you please provide the advisory link? ZDI is a CNA, we are happy to provide a CVE for the issue.

zdi-disclosures avatar Aug 27 '25 13:08 zdi-disclosures

Certainly: https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-7qp6-hqxj-pjjp

AlexPeshkoff avatar Aug 27 '25 16:08 AlexPeshkoff