Vulnerability Disclosure Policy
How to report security vulnerabilities in Parascope
Safe Harbor
Security researchers acting in good faith will not face legal action from Parascope. "Good faith" means:
- No data destruction or modification
- No access beyond what is necessary to demonstrate the vulnerability
- No accessing other customers' data
- Prompt reporting of discovered vulnerabilities
Scope
The following systems are in scope for vulnerability reports:
- All
*.parascope.ioservices - The collector appliance image
Out of Scope
- Social engineering of Parascope staff or customers
- Physical attacks
- Third-party payment processors, identity providers, and hosting infrastructure
- Denial of service attacks
How to Report
Send vulnerability reports to security@parascope.io. Include:
- Description of the vulnerability
- Steps to reproduce
- Impact assessment
- Any proof-of-concept code (non-destructive)
Response SLA
| Stage | Timeframe |
|---|---|
| Acknowledgment | 2 business days |
| Triage and severity assessment | 5 business days |
| Fix timeline communicated | 10 business days |
| Critical/High severity fix | 30 days |
| Medium/Low severity fix | 90 days |
Recognition
Researchers who report valid vulnerabilities will be credited in release notes (with consent). No monetary bounties are offered at this time.