Hi there, thanks for finding this. By being here, I’m guessing this means you’ve found some sort of security problem that’s worth reporting to us. Please read on for more information.
Pilning Station Group (PSG) welcomes responsible disclosure of security issues. We are a small band of volunteers, and whilst we make every endeavour to keep our systems secure, we are by no means experts. We would appreciate any help that’s willing to be offered.
Please ensure you have read this policy fully and have understood what is and isn’t in-scope before contacting us. Please additionally note that we are unable to offer any monetary reward.
We’re new to this, and are learning what is and isn’t the best of ideas to include! With the exception of anything listed under ‘Not in Scope’ below, for now let’s say: pretty much anything you think can or should be resolved.
There are a number of things hosted on this server, which may (or may not…) themselves have a further
security.txt file. For the purposes of this document,
*.piln.in – or items referred to in the DNS zones of each of those – are considered to be in scope.
If you’ve arrived at this page because it’s the only
security.txt you could find for another project hosted here, please send it through to the below address anyway. The rest of this document will not apply, but it’ll at least reach the correct person.
Not In Scope
The following items are not currently considered to be in-scope, except where personally-identifiable data exfiltration can be proven:
- Content-Security-Policy and other HTTP security headers
- HTTP Parameter Pollution
- Theoretical wp-json / xmlrpc attacks
- Version numbers exposed
We are aware we aren’t 100% on best-practice things, such as SPF/DKIM/DMARC, web headers, cipher suites, etc. Sometimes there’s a reason for that – likely technical, humanpower, or just cost. We do welcome a nudge on where we could improve in line with best practice, but be aware it may not always be possible for us to act on those. These items are not considered to be in-scope for the purpose of the bounty.
PSG is unable to offer a monetary bug bounty, because we’re not an organisation with a budget. This site, and the campaign in general, is run by a small number plucky individuals for whom every expense comes out of our own pockets.
Should we successfully be able to resolve an issue from your disclosure, we would like to offer a token of our appreciation however, and this would likely take the form of commemorative leaflets relating to the Pilning Challenges. We may also buy you a beer (or other drink to taste) if you ever alight at the station!
Please email security﹫piln.in (paying close attention to the ‘at’ character used here) with details of the vulnerability. We’ll endeavour to reply to you as soon as possible – please give us a nudge if we don’t. Please do not use the contact form embedded on this website.
If your report is likely to include any sensitive information, please do not send this with your initial contact. Let us know, and we’ll agree a method to exchange this securely.
Please see our Acknowledgements Page where we would like to publicly thank security researchers who have helped us tackle security issues.
Feedback on this policy
We said above that we’re new to this – that’s from start to finish. We welcome any feedback at all on our approach to this. Please use the contact form to the left for this purpose.
Changes made to this policy
Added extra items which are not considered in-scope.
Added an acknowledgement page, added link on this page, added an Acknowledgements: line to security.txt, clarified our stance regarding monetary bounties.
Added the ‘Not in Scope’ section, and clarified what we don’t currently consider to be eligible. Modified the ‘Scope’ section to refer to the aforementioned section. Made minor amendments throughout as we learn what shape this policy is taking!