Pilning StationPilning Station
  • Pilning Station
  • Why it Matters
  • What’s New
  • Visit Pilning
    • Departure Board
    • Local Information
    • Travel Ideas
    • Train & Bus Timetables
  • Tell me more!
    • What we do
    • Passenger Count
    • Pilning Poetry
    • Bedtime Reading
  • Been There!
    • Pilning Station – a Potted History
    • Battle for Pilning
    • #AllTheStations 2017
    • Pilning Pictures and Videos
    • … bought a t-shirt!
  • Pilning Challenges
    • Pilning Enigma
    • Pilning Equaliser
    • Pilning Grand Slam
    • Pilning Multiplex
    • Pilning Scramble
    • Pilning Terminator
    • The Hall of Fame
  • Pilning Live
    • Recent Departures
    • Departures Stats
    • Live Trains
    • Signalling Diagram
    • Live Trains Stats

Responsible Disclosure Policy

Hi there, thanks for finding this. By being here, I’m guessing this means you’ve found some sort of security problem that’s worth reporting to us. Please read on for more information.

Pilning Station Group (PSG) welcomes responsible disclosure of security issues. We are a small band of volunteers, and whilst we make every endeavour to keep our systems secure, we are by no means experts. We would appreciate any help that’s willing to be offered.

Please ensure you have read this policy fully and have understood what is and isn’t in-scope before contacting us. Please additionally note that we are unable to offer any monetary reward.

Current policy v1.5 effective date: 4th January 2022.
security.txt version v1.2 effective date 4th January 2022.
See policy changelog

Not In Scope

The following items are not in-scope.

  • Anything to do with XMLRPC and/or WP-JSON
  • Volumetric/Denial of Service vulnerabilities (i.e. simply overwhelming our service with a high volume of requests)
  • Content-Security-Policy and other HTTP security headers
  • HTTP Parameter Pollution
  • Version numbers exposed

PSG will accept these, but only where exfiltration of personally-identifiable information can be proven.

We are aware we aren’t 100% on best-practice things, such as SPF/DKIM/DMARC, web headers, cipher suites, etc. Sometimes there’s a reason for that – likely technical, humanpower, or just cost. We do welcome a nudge on where we could improve in line with best practice, but be aware it may not always be possible for us to act on those. These items are not considered to be in-scope for the purpose of the bounty.

PSG will not respond to reports that are considered not to be in scope.

Scope

With the exception of anything listed under ‘Not in Scope’ above, we welcome your thoughts on pretty much anything you think can or should be resolved.

There are a number of things hosted on this server, which may (or may not…) themselves have a further security.txt file. For the purposes of this document, *.pilningstation.uk and *.piln.in – or items referred to in the DNS zones of each of those – are considered to be in scope.

If you’ve arrived at this page because it’s the only security.txt you could find for another project hosted here, please send it through to the below address anyway. The rest of this document will not apply, but it’ll at least reach the correct person.

Bug Bounty

PSG is unable to offer a monetary bug bounty, because we’re not an organisation with a budget. This site, and the campaign in general, is run by a small number plucky individuals for whom every expense comes out of our own pockets.

Should we successfully be able to resolve an issue from your disclosure, we would like to offer a token of our appreciation however, and this would likely take the form of commemorative leaflets relating to the Pilning Challenges. We may also buy you a beer (or other drink to taste) if you ever alight at the station!

Reporting

Please email security﹫piln.in (paying close attention to the ‘at’ character used here) with details of the vulnerability. We’ll endeavour to reply to you as soon as possible – please give us a nudge if we don’t. Please do not use the contact form embedded on this website.

If your report is likely to include any sensitive information, please do not send this with your initial contact. Let us know, and we’ll agree a method to exchange this securely.

Acknowledgements

Please see our Acknowledgements Page where we would like to publicly thank security researchers who have helped us tackle security issues.

Feedback on this policy

We said above that we’re new to this – that’s from start to finish. We welcome any feedback at all on our approach to this. Please use the contact form to the left for this purpose.

Changes made to this policy

v1.5 (2022-01-04)

Minor modifications to the out-of-scope section. Updated security.txt version to 1.2.

v1.4 (2021-11-28)

Rearranged the scope / out-of-scope sections to make it clearer what we will and will not accept.

v1.3 (2021-09-05)

Added extra items which are not considered in-scope.

v1.2 (2021-09-02)

Added an acknowledgement page, added link on this page, added an Acknowledgements: line to security.txt, clarified our stance regarding monetary bounties.

v1.1 (2021-08-26)

Added the ‘Not in Scope’ section, and clarified what we don’t currently consider to be eligible. Modified the ‘Scope’ section to refer to the aforementioned section. Made minor amendments throughout as we learn what shape this policy is taking!

v1.0 (2021-06-17)

Initial release.

Latest News

  • Pilning Station Group Responds to the SG Local Plan Reg 19 Consultation
  • STATION USER GROUP STEPS IN TO STOP PASSENGERS BEING STRANDED
  • Amended Service on Saturday 31 December 2022
  • Current Timetable and Travel Ideas (2022)
  • The return of the 15:32 (May 2021)
PSG v1.5.5.3.0.6 Strategic Location Edition | Data Sources | Privacy Policy
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsAcceptReject
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT