I think it's a security researcher. They've found a bug (we should not allow .. to appear in slugs) but don't seem to have found a way to do anything useful or interesting with it yet.

The security people are making me wonder if we should have a demo install on .org.

plshckme.phabricator.org

Yeah, I made a note in T331 (basically, set up demo. and hack.). I'd want to cycle both of them regularly, though (e.g., make the install wipe itself every night) and have some sort of regular upgrade plan, at least, so no one is able to run a Warez torrent site off an install we never look at or whatever.

I've updated the HackerOne project description to make it more clear that they shouldn't be testing here, but it hasn't had much effect in dissuading them (I updated a week or two ago). The HackerOne terms are also very clear about this. I'm starting to push back more aggressively on researchers who are doing this, although it's kind of whack-a-mole.

And, of course, everyone's first test is to look for XSS in everything.

(Particularly, since the instructions are hard to miss now, I wonder how effectively we could really route traffic to hack.)

I think in general though it's laziness. A loaded install is still less work than something they can one-click register. Phabricator actually takes time and will to install.

I cleaned up the documents on this server, too.