Reporting Security Issues

 

Report a Vulnerability 

Parabol is open-source software. We believe transparent implementations create more secure and better products for our users. If you believe you have discovered a vulnerability in a Parabol product or have a security incident to report, please fill out this contact form. If your communication needs to be encrypted, please contact us and we’ll coordinate a secure communications channel.

If you're a security researcher and seeking a bounty, in addition to disclosure please see Bug Bounty section below.

Steps taken

Once we have received a vulnerability report, Parabol takes a series of steps to address the issue:

  1. Parabol requests that the reporter keep any communication regarding the vulnerability confidential
  2. Parabol investigates and verifies the vulnerability
  3. Parabol addresses the vulnerability and releases an update or patch to the software. If for some reason this cannot be done quickly or at all, Parabol will provide information on recommended mitigations
  4. Parabol publicly announces the vulnerability in the changelog of the update. Parabol may also issue additional public announcements, for example via social media, our blog, and media
  5. Release notes (and blog posts when issued) include a reference to the person/people who reported the vulnerability, unless the reporter(s) would prefer to stay anonymous
  6. If the vulnerability resulted in a breach or loss of data, the affected user(s) will be notified within 24 hours of the vulnerability mitigation

Parabol will endeavor to keep the reporter apprised of every step in this process as it occurs.

Our promise

When notified of a legitimate vulnerability, we’ll do our best to acknowledge the report and keep our user community properly and safely informed. When we discover vulnerabilities ourselves within our own software or with a 3rd-party module, we’ll do our best to coordinate our efforts with the affected parties.

 

Bug bounty

We may offer monetary rewards for vulnerability disclosure. Not all The decision to grant a reward is entirely at our discretion. Bounty payments are subject to the following eligibility requirements:

  1. Because we're based in the United States, we aren't able to pay bounties to residents or those who report vulnerabilities from a country against which the United States has trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control (OFAC).

  2. Minors are welcome to participate in the program. However, the Children's Online Privacy Protection Act restricts our ability to collect personal information from children under 13, so you will need to claim your bounties through your parent or legal guardian if you are 12 or younger.

  3. All payments will be made in U.S. dollars (USD) and will comply with local laws, regulations and ethics rules. You are responsible for the tax consequences of any bounty you receive, as determined by the laws of your country.

  4. It is your sole responsibility to comply with any policies your employer may have that would affect your eligibility to participate in this bounty program.

How big are the bounties?

It depends on the severity. In general, the maximum we'll pay is given by the following:

  • Low Severity: up to $50
  • Medium Severity: up to $150
  • High Severity: up to $300
  • Critical Severity: up to $500

We reserve the right to decide how we classify each reported issue. Here are how we think of each level:

Low Severity

Vulnerabilities in the low range exhibit the following criteria:

  • Little to no impact on the business
  • Vulnerabilities requiring a costly expenditure of resources (time or money) for very limited access
  • Denial of service vulnerabilities that are difficult to set up
  • Exploits that require an attacker to reside on the same local network as the victim

Medium Severity

Vulnerabilities in the medium severity range generally exhibit most of the following criteria:

  • Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics
  • Vulnerabilities where exploitation provides only very limited access
  • Vulnerabilities that require user privileges for successful exploitation

High Severity

Vulnerabilities in the high severity range generally exhibit most of the following criteria:

  • The vulnerability is difficult to exploit
  • Exploitation could result in elevated privileges
  • Exploitation could result in a significant data loss or downtime

Critical Severity

Vulnerabilities in the critical range generally exhibit most of the following criteria:

  • Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices
  • Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions

Restrictions

The following kinds of vulnerabilities are not eligible within our Bug Bounty program: