Security

Vulnerability Disclosure Policy

We take security seriously. If you discover a vulnerability in PLEXUS, we want to hear from you responsibly. We commit to working with you to understand and address the issue promptly.

How to Report

Send a detailed report to security@plexus-plc.com. We acknowledge all reports within 48 hours and aim to provide a resolution timeline within 5 business days.

You may also use our security.txt file for machine-readable contact information (RFC 9116).

Include in your report:

  • Description of the vulnerability and potential impact
  • Steps to reproduce (proof of concept preferred)
  • Affected URL, endpoint, or component
  • Your contact information for follow-up

Scope

✓ In Scope

  • https://www.plexus-plc.com — production web application
  • https://api.plexus-plc.com — public API endpoints
  • PLEXUS Desktop application (Tauri)
  • Authentication and session management vulnerabilities
  • SQL injection, XSS, CSRF, SSRF
  • Insecure direct object references (IDOR)
  • Broken access control and privilege escalation
  • Cryptographic weaknesses in file vault or data transport
  • PLC tag write bypass without user confirmation (RULE-P1)
  • Safety tag protection bypass (_ES, _STO, _SIL)

✗ Out of Scope

  • Denial-of-service attacks against production infrastructure
  • Social engineering or phishing attacks targeting our staff
  • Physical security of our offices or data centres
  • Third-party services not under our direct control
  • Theoretical vulnerabilities without a working proof of concept
  • Automated scanning output without manual verification
  • Vulnerabilities in customer-controlled PLC hardware or firmware

Our Commitments

  • Acknowledge receipt of your report within 48 hours
  • Confirm the vulnerability and inform you of severity within 5 business days
  • Keep you informed of remediation progress
  • Credit you in our hall of fame (unless you prefer anonymity)
  • Not pursue legal action against good-faith researchers
  • Treat your report with confidentiality

Safe Harbour

PLEXUS will not take legal action against researchers who discover and report vulnerabilities in good faith in accordance with this policy. We consider security research conducted under this policy to be:

  • Authorised under the Computer Fraud and Abuse Act (CFAA)
  • Exempt from DMCA anti-circumvention provisions
  • Conducted in good faith and without intent to harm

You must not access, modify, or delete customer data. Testing must be performed on your own accounts or dedicated test environments only.

Severity Classification

Critical

Remote code execution, full authentication bypass, PLC write without auth, safety tag protection bypass. Target fix: 24 hours.

High

Privilege escalation, cross-tenant data access, AES key exposure, IDOR on sensitive resources. Target fix: 7 days.

Medium

XSS, CSRF, information disclosure, rate limit bypass, insecure file upload. Target fix: 30 days.

Low

Outdated dependencies, missing security headers, verbose error messages. Target fix: 90 days.

Hall of Fame

We gratefully acknowledge the following researchers who have responsibly disclosed security vulnerabilities to us. Listed chronologically; most recent first.

No reports yet — be the first!

Encrypted Communications

For sensitive reports we accept PGP-encrypted email. Download our public key from /pgp-key.asc.

Fingerprint: Publish after key generation

Email: security@plexus-plc.com