There doesn’t seem to be much of an attack surface for the wintersdeep_postcode library. However, that’s the nature of security issues - they always crop up where you least expect them.

The project strongly supports vulnerability disclosure, and believes its important to be transparent when vulnerabilities occur so that everyone can learn, patch and be safer.

With that in mind; what are you looking for?

• I found a security vulnerability
• I want to be notified of security vulnerabilities
• The “Hall of Fame” / Known Exploits

If you think you have discovered a vulnerability, and you are here it would suggest you are interested in responsible disclosure - so thank you! Obviously the ball is in your court here, but we would ask you do the following:

• Please do not raise the issue on the projects public issue tracker; doing so makes the issue public before a fix is available and leaves users exposed.
• Send an email to security@wintersdeep.com with the subject prefixed with “Vulnerability Disclosure” (for example, “Vulnerability Disclosure: WintersDeep Postcode)”, including as much of the following information as you can:
  • The version of the software that is impacted.
  • A technical description of the vulnerability.
  • A proof-of-concept (POC) in an encrypted ZIP file, including a brief description of what it does, and how to use it.
  • Any associated CVE number(s) you’ve been issued for the fault(s).
  • An indication of whether you want to be involved in fault resolution (from advice if/as required, to testing any patch before it goes live).
• Wait for a confirmation of receipt; resend the email if you don’t get a reply in 48hrs but do not include any POC attachments (in case they are tripping spam filters).
• Once you get confirmation, sit on it, for 90 days, or 30 days after a patch is released. Whichever is sooner, unless you’re feeling generous, and a patch is on the horizon (in which case a grace period may be requested, at your discretion).
• After the above time period has passed, sing a song of your exploits. Post a blog, raise an issue in the tracker (why not include a link to any material you publish?), and get the exposure you rightly deserve. Or slink slowly back into the night like a some mysterious ninja - your call.

Unfortunatly this project does not have any funding to offer any sort of bounty, but we do offer our external gratitude and a spot in the hall of fame below if you follow the reponsible disclosure guidance above.

Any new release of the software which contains fixes for security vulnerabilities will be clearly labelled as such in associated change logs. If you are using the project and want more direct notifications straight to your inbox send an email to security@wintersdeep.com with the subject “Notification Request: WintersDeep Postcode”.

This is a manually managed list; you’ll receive a notification email when you’ve been added. Members of this list may receive the following message types:

• Notice of when the project becomes aware of any vulnerabilities being actively exploited “in the wild”, if a patch is not available, or not anticipated to be imminently available within 24hrs.
• Potentially, advanced notice of up to 48hrs, of a security patch being released. This will only occur if the patch involves breaking changes and time allows.
• Notification of a software update/release which includes changes that address security vulnerabilities.
• Notification if/when the library becomes end-of-life.
• Notification of discontinuation of this service.

Your email address will not be used for any other purposes (including notification of software releases that do not contain vulnerability fixes), and you can remove yourself from the list by sending an email to security@wintersdeep.com with the subject “Notification Unsubscribe: WintersDeep Postcode”.

Please ensure that “@wintersdeep.com” emails are whitelisted by your mail provider.

This section will list any known vulnerabilities, what version is impacted, when it was fixed and who did the damage (if they want to be known).

No ones found anything yet; are you going to be the first?