>Who discovered the vulnerability?
>Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source Software Center while conducting a security audit.<p>I'm not surprised. Some years ago I worked for a company that had NTT as a customer, and they were easily an order of magnitude more thorough and careful than anyone else. We used to joke that they knew our product better than we did.
Here is our official response from Heroku Postgres – <a href="https://postgres.heroku.com/blog/past/2013/4/4/postgres_security_updates_and_your_heroku_postgres_database/" rel="nofollow">https://postgres.heroku.com/blog/past/2013/4/4/postgres_secu...</a>
In relation to the criticism about Heroku's early access: "Heroku was given access to updated source code which patched the vulnerability at the same time as other packagers. Because Heroku was especially vulnerable, the PostgreSQL Core Team worked with them both to secure their infrastructure and to use their deployment as a test-bed for the security patches, in order to verify that the security update did not break any application functionality. Heroku has a history both of working closely with community developers, and of testing experimental features in their PostgreSQL service."
> Any system that allows unrestricted access to the PostgreSQL network port, such as users running PostgreSQL on a public cloud, is especially vulnerable.<p>Heroku allows unauthenticated access to the Postres port to anyone on the Internet? I guess that makes development a lot faster for users... nobody has to think about the implications of secured ports if you just punt on securing them.