I've spent two weeks trying to report a bug in bluez that may have security
implications, with no evidence of success. The details of the issue aren't
relevant to the problem, so I'll just say I'm not a security professional
and can't say for certain whether the bug is actually a security problem.
https://www.bluez.org/development/ has a section "security bugs" with a link
labelled "handling the security bug of BlueZ".
That link points to https://www.bluez.org/development/security-bugs/,
which says "The BlueZ security team can be contacted by email at
security@xxxxxxxxx".
I sent an e-mail to security@xxxxxxxxx on 2025-03-26, and got an
automatic reply
on 2025-03-31 saying the message couldn't be delivered:
> This is the mail system at host mail.holtmann.org.
>
> I'm sorry to have to inform you that your message could not
> be delivered to one or more recipients. It's attached below.
>
> For further assistance, please send mail to postmaster.
>
> If you do so, please include this problem report. You can
> delete your own text from the attached returned message.
>
> The mail system
>
> <(address hidden)> (expanded from <security@xxxxxxxxx>): host
> alt1.aspmx.l.google.com[142.250.153.27] said: 550-5.7.26 Your
email has
> been blocked because the sender is unauthenticated. 550-5.7.26 Gmail
> requires all senders to authenticate with either SPF or DKIM.
550-5.7.26
> 550-5.7.26 Authentication results: 550-5.7.26 DKIM = did not pass
> 550-5.7.26 SPF [pileofstuff.org] with ip: [212.227.132.17] = did
not pass
> 550-5.7.26 550-5.7.26 For instructions on setting up
authentication, go
> to 550 5.7.26
https://support.google.com/mail/answer/81126#authentication
> a640c23a62f3a-ac7195f9db3si563836466b.529 - gsmtp (in reply to
end of DATA
> command)
>
>
> Reporting-MTA: dns; mail.holtmann.org
> X-Postfix-Queue-ID: 2A99FCECD8
> X-Postfix-Sender: rfc822; kernel.org@xxxxxxxxxxxxxxx
> Arrival-Date: Wed, 26 Mar 2025 16:42:16 +0100 (CET)
>
> Final-Recipient: rfc822; (address hidden)
> Original-Recipient: rfc822;security@xxxxxxxxx
> Action: failed
> Status: 4.7.26
> Remote-MTA: dns; alt1.aspmx.l.google.com
> Diagnostic-Code: smtp; 550-5.7.26 Your email has been blocked because the
> sender is unauthenticated. 550-5.7.26 Gmail requires all senders to
> authenticate with either SPF or DKIM. 550-5.7.26 550-5.7.26
> Authentication results: 550-5.7.26 DKIM = did not pass
550-5.7.26 SPF
> [pileofstuff.org] with ip: [212.227.132.17] = did not pass 550-5.7.26
> 550-5.7.26 For instructions on setting up authentication, go to
550 5.7.26
> https://support.google.com/mail/answer/81126#authentication
> a640c23a62f3a-ac7195f9db3si563836466b.529 - gsmtp
>
Note: I have replaced the actual address with "(address hidden)" above,
as I'm not sure whether this address was supposed to be made public.
So far as I can tell, the message above means mail.holtmann.org is
attempting
to send e-mails claiming to be from my domain, and correctly being blocked
by Google because I haven't authorised it to do so.
I then sent the bug report and the above issue directly to the hidden
address
on 2025-04-03, but have not yet received a reply.
Could you let me know the correct process to report security issues and how
long I should expect to wait before acknowledgement? Also, can you put
that information on the website for the next person who comes along?
