Parabol is open-source software. We believe transparent implementations create more secure and better products for our users. If you believe you have discovered a vulnerability in a Parabol product or have a security incident to report, please fill out this contact form. If your communication needs to be encrypted, please contact us and we’ll coordinate a secure communications channel.
If you're a security researcher and seeking a bounty, in addition to disclosure please see Bug Bounty section below.
Once we have received a vulnerability report, Parabol takes a series of steps to address the issue:
Parabol requests that the reporter keep any communication regarding the vulnerability confidential
Parabol investigates and verifies the vulnerability
Parabol addresses the vulnerability and releases an update or patch to the software. If for some reason this cannot be done quickly or at all, Parabol will provide information on recommended mitigations
Parabol publicly announces the vulnerability in the changelog
of the update. Parabol may also issue additional public announcements, for example via social media, our blog, and media
Release notes (and blog posts when issued) include a reference to the person/people who reported the vulnerability, unless the reporter(s) would prefer to stay anonymous
If the vulnerability resulted in a breach or loss of data, the affected user(s) will be notified within 24 hours of the vulnerability mitigation
Parabol will endeavor to keep the reporter apprised of every step in this process as it occurs.
When notified of a legitimate vulnerability, we’ll do our best to acknowledge the report and keep our user community properly and safely informed. When we discover vulnerabilities ourselves within our own software or with a 3rd-party module, we’ll do our best to coordinate our efforts with the affected parties.
We may offer monetary rewards for vulnerability disclosure. Not all The decision to grant a reward is entirely at our discretion. Bounty payments are subject to the following eligibility requirements:
- Because we're based in the United States, we aren't able to pay bounties to residents or those who report vulnerabilities from a country against which the United States has trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control (OFAC).
- Minors are welcome to participate in the program. However, the Children's Online Privacy Protection Act restricts our ability to collect personal information from children under 13, so you will need to claim your bounties through your parent or legal guardian if you are 12 or younger.
- All payments will be made in U.S. dollars (USD) and will comply with local laws, regulations and ethics rules. You are responsible for the tax consequences of any bounty you receive, as determined by the laws of your country.
- It is your sole responsibility to comply with any policies your employer may have that would affect your eligibility to participate in this bounty program.
How big are the bounties?
It depends on the severity. In general, the maximum we'll pay is given by the following:
- Low Severity: up to $50
- Medium Severity: up to $150
- High Severity: up to $300
- Critical Severity: up to $500
We reserve the right to decide how we classify each reported issue. Here are how we think of each level:
Vulnerabilities in the low range exhibit the following criteria:
- Little to no impact on the business
- Vulnerabilities requiring a costly expenditure of resources (time or money) for very limited access
- Denial of service vulnerabilities that are difficult to set up
- Exploits that require an attacker to reside on the same local network as the victim
Vulnerabilities in the medium severity range generally exhibit most of the following criteria:
- Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics
- Vulnerabilities where exploitation provides only very limited access
- Vulnerabilities that require user privileges for successful exploitation
Vulnerabilities in the high severity range generally exhibit most of the following criteria:
- The vulnerability is difficult to exploit
- Exploitation could result in elevated privileges
- Exploitation could result in a significant data loss or downtime
Vulnerabilities in the critical range generally exhibit most of the following criteria:
- Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices
- Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions
If multiple reports are received for the same issue, rewards will be awarded to the earliest report with enough information to reproduce the issue. We will not offer reward points for previously known issues. We determines duplicates and cannot share details on other reports. Identical issues across different production and non-production environment counterparts will be considered duplicates. This policy is in line with others in the industry.