Hi there. Thanks for finding this. By being here, I’m guessing this means you’ve found some sort of security problem that’s worth reporting to us. Please read on for more information.
Pilning Station Group (PSG) welcomes responsible disclosure of security issues. We’re a small (tiny!) outfit, and whilst we make every endeavour to keep our systems secure, we are by no means experts. We would appreciate any help that’s willing to be offered.
Current policy (v1.0) effective date: 17th June 2021
We’re completely new to this, but for now let’s say: Pretty much anything you think can or should be resolved.
(Though do note this near-blanket approach is likely to be reviewed over time.)
We are aware we aren’t 100% on best-practice things, such as SPF/DKIM, web headers, cipher suites, etc. Sometimes there’s a reason for that – likely technical, humanpower, or just cost. We do welcome a nudge on where we could improve in line with best practice, but be aware it may not always be possible for us to act on those.
There are a number of things hosted on this server, which may (or may not…) themselves have a further
security.txt file. For the purposes of this document,
*.piln.in – or items referred to in the DNS zones of each of those – are in-scope.
If you’ve arrived at this page because it’s the only
security.txt you could find for another project hosted here, please send it through to the below address anyway. The rest of this document will not apply, but it’ll at least reach the correct person.
PSG is unable to offer a monetary bug bounty, because we’re not an organisation with a budget. This site, and the campaign in general, is run by a small number plucky individuals for whom every expense comes out of our own pockets.
Should we successfully be able to resolve an issue from your disclosure, we would like to offer a token of our appreciation however, and this would likely take the form of commemorative leaflets relating to the Pilning Challenges. We may also buy you a beer (or other drink to taste) if you ever alight at the station!
Please email security﹫piln.in (paying close attention to the ‘at’ character used here) with details of the vulnerability. We’ll endeavour to reply to you as soon as possible. Please do not use the contact form embedded on this website.
If your report is likely to include any sensitive information, please do not send this with your initial contact. Let us know, and we’ll agree a method to exchange this securely.
Feedback on this policy
We said above that we’re new to this – that’s from start to finish. We welcome any feedback at all on our approach to this. Please use the contact form to the left for this purpose!
Changes made to this policy