Security Policy

Contents

Security contact

We provide a security.txt file for structured security contact information: https://stmichael-hatfield.org/security.txt . You can use the contact page on this site to send a message to us. You may also use email, via security@ or webmaster@ addresses, but please remember that email is unencrypted by default and should not contain confidential or security-related information.

Security statement

The security of this site is of great importance and every effort is made to maintain industry-leading standards and processes. Security updates to all levels of software are implemented within a very short time-frame and the site is monitored constantly for modified files and unauthorised login attempts. Unless it is absolutely necessary to deliver the content or service you have requested, we do not record or process personal data. All links to third party sites are clearly marked and embedded content is identifiable and disclosed. For more information please refer to our privacy policy.

Disclosure policy

If you believe this site has a security vulnerability, we would be very happy to hear from you, provided that you follow the terms of our disclosure process:

  • The disclosure must be made following the contact procedure set out above.
  • The disclosure may be made anonymously.
  • The disclosure you make to us should relate directly to this site or to the email service associated with it.
  • The disclosure must relate to a service in our control, rather than to a matter which is the responsibility of a third party providing a service to us.
  • The disclosure must not be released to the public without our prior consent.
  • Abusive or threatening language, harassment, impersonation, or any other kind of criminal activity, will be reported to the relevant authorities and pursued to the full extent of the law.
  • Automated penetration testing or unauthorised attempts to gain access to our site will be treated by us as a deliberate attack and be subject to legal action.
  • The disclosure must relate to a matter set out below and specifically not to matters such as the exact configuration of our current security headers or to recently announced zero-day vulnerabilities:
    • Information leakage, or leakage of personal data
    • Unauthorised access at either user or root level
    • Code injection
    • Remote code execution

When a potential security issue is reported privately in accordance with these terms, we will check the issue and respond within one working week if you have provided valid contact details.

We will not take legal action against anyone who reports a security concern to us privately, in accordance with this policy, and without having undertaken intrusive testing. We are not currently able to offer ‘bug bounties’ or similar cash rewards, but, with your consent, we would be happy to publish an acknowledgement on this site to express our gratitude.

Thanks and acknowledgements

We would like to thank the following testers, researchers, and developers: