1. Who discovered the vulnerability?
The vulnerability was discovered by Dawid Golunski of Legal Hackers
2. What should I do? Where do I get the patches?
See the Security fix section above
3. Can I make the patch my New Year's resolution and wait for some time?
You can wait, attackers probably won't ;)
4. How do I contact the maintainers of this site or the researcher?
You can contact the maintainers of this site via pwnscriptum[-at-]gmail.com.
The researcher who discoverd the vulnerability can be reached at dawid[-at-]legalhackers.com
5. Why is it called PwnScriptum (or P.$.) ?
It comes from P.S. short for latin PostScriptum, commonly used in e-mail communication.
The $ stands for a shell/script execution on the Pwned host after an email has been sent by a vulnerable webapp ;)
6. Is there a need for the name/logo/domain foo?
As you can see from the previous advisories, the researcher prefers to stick to advisories in raw plain-text (wrapped to 80 chars of course ;).
These post well on security lists but don't necessarily reach far outside the security community.
The news of this vulnerability however, due to the severity and wide usage of the affected software, had to reach the opensource users fast
(despite the bad timing and a holiday break ;) to speed up patching as much as possible before the full details/exploits get disclosed.
Hence the idea for this page.
7. Can I get the full RCE exploit code already to fix my PHPMailer?
That's what the patch/security release is for ;) (See the Security Fix section).
8. Can I use the logo on my blog? Go for it, it's meant to be opensource after all ;)