Hi there, thanks for finding this. By being here, I’m guessing this means you’ve found some sort of security problem that’s worth reporting to us. Please read on for more information.
Pilning Station Group (PSG) welcomes responsible disclosure of security issues. We are a small band of volunteers, and whilst we make every endeavour to keep our systems secure, we are by no means experts. We would appreciate any help that’s willing to be offered.
Please ensure you have read this policy fully and have understood what is and isn’t in-scope before contacting us. Please additionally note that we are unable to offer any monetary reward.
Current policy v1.5 effective date: 4th January 2022. security.txt
version v1.2 effective date 4th January 2022.
See policy changelog
Not In Scope
The following items are not in-scope.
- Anything to do with XMLRPC and/or WP-JSON
- Volumetric/Denial of Service vulnerabilities (i.e. simply overwhelming our service with a high volume of requests)
- Content-Security-Policy and other HTTP security headers
- HTTP Parameter Pollution
- Version numbers exposed
PSG will accept these, but only where exfiltration of personally-identifiable information can be proven.
We are aware we aren’t 100% on best-practice things, such as SPF/DKIM/DMARC, web headers, cipher suites, etc. Sometimes there’s a reason for that – likely technical, humanpower, or just cost. We do welcome a nudge on where we could improve in line with best practice, but be aware it may not always be possible for us to act on those. These items are not considered to be in-scope for the purpose of the bounty.
PSG will not respond to reports that are considered not to be in scope.
Scope
With the exception of anything listed under ‘Not in Scope’ above, we welcome your thoughts on pretty much anything you think can or should be resolved.
There are a number of things hosted on this server, which may (or may not…) themselves have a further security.txt
file. For the purposes of this document, *.pilningstation.uk
and *.piln.in
– or items referred to in the DNS zones of each of those – are considered to be in scope.
If you’ve arrived at this page because it’s the only security.txt
you could find for another project hosted here, please send it through to the below address anyway. The rest of this document will not apply, but it’ll at least reach the correct person.
Bug Bounty
PSG is unable to offer a monetary bug bounty, because we’re not an organisation with a budget. This site, and the campaign in general, is run by a small number plucky individuals for whom every expense comes out of our own pockets.
Should we successfully be able to resolve an issue from your disclosure, we would like to offer a token of our appreciation however, and this would likely take the form of commemorative leaflets relating to the Pilning Challenges. We may also buy you a beer (or other drink to taste) if you ever alight at the station!
Reporting
Please email security﹫piln.in (paying close attention to the ‘at’ character used here) with details of the vulnerability. We’ll endeavour to reply to you as soon as possible – please give us a nudge if we don’t. Please do not use the contact form embedded on this website.
If your report is likely to include any sensitive information, please do not send this with your initial contact. Let us know, and we’ll agree a method to exchange this securely.
Acknowledgements
Please see our Acknowledgements Page where we would like to publicly thank security researchers who have helped us tackle security issues.
Feedback on this policy
We said above that we’re new to this – that’s from start to finish. We welcome any feedback at all on our approach to this. Please use the contact form to the left for this purpose.
Changes made to this policy
v1.5 (2022-01-04)
Minor modifications to the out-of-scope section. Updated security.txt version to 1.2.
v1.4 (2021-11-28)
Rearranged the scope / out-of-scope sections to make it clearer what we will and will not accept.
v1.3 (2021-09-05)
Added extra items which are not considered in-scope.
v1.2 (2021-09-02)
Added an acknowledgement page, added link on this page, added an Acknowledgements: line to security.txt, clarified our stance regarding monetary bounties.
v1.1 (2021-08-26)
Added the ‘Not in Scope’ section, and clarified what we don’t currently consider to be eligible. Modified the ‘Scope’ section to refer to the aforementioned section. Made minor amendments throughout as we learn what shape this policy is taking!
v1.0 (2021-06-17)
Initial release.