Create a Pareto Cloud account
Responsible Vulnerability Disclosure
Last update: January 28, 2025
Introduction
Pareto Security welcomes feedback from security researchers and the public to enhance our security. If you find a vulnerability, privacy issue, or other security concern in our assets, please report it following this policy.
Systems in Scope
This policy applies to all digital assets owned, operated, or maintained by Pareto Security.
Out of Scope
A vulnerability is a weakness in our products or infrastructure that could affect confidentiality, integrity, or availability. The following are not considered vulnerabilities:
- Account enumeration, XMLRPC, DoS and other non-critical vulnerabilities on https://paretosecurity.com/blog;
- Missing MTA-STS DNS record;
- Missing domain lock flag;
- No immediate OAuth session invalidation -- happens in a few hours;
- Theoretical issues with no realistic exploit;
- Allowed weak passwords, as our app nudges people to use a password manager;
- Clickjacking on unauthenticated or static pages.
- Leaks to Sentry.io -- they are auto-scrubbed on the receiving end;
- Assets or equipment not owned by Pareto Security.
Our Commitments
When you report a vulnerability, you can expect us to:
- Respond promptly and validate your report;
- Keep you informed about the vulnerability's progress;
- Remediate vulnerabilities promptly within our constraints;
- Provide Safe Harbor for your good-faith research.
Our Expectations
To participate in our vulnerability disclosure program, please:
- Follow this policy and relevant agreements;
- Report vulnerabilities promptly;
- Avoid violating privacy, disrupting systems, or harming users;
- Use only official channels for communication;
- Allow at least 90 days to resolve issues before public disclosure;
- Test only in-scope systems and respect out-of-scope areas;
- Limit data access to what’s necessary and stop if you encounter sensitive information;
- Use only your own test accounts or those with explicit permission;
- Avoid extortion.
Exclusions
Do not:
- Cause denial of service;
- Interact with accounts without permission;
- Test contact and support forms.
Safe Harbor
Research conducted under this policy is:
- Protected under applicable anti-hacking and anti-circumvention laws;
- Exempt from certain Terms of Service restrictions related to security research;
- Considered lawful and conducted in good faith.
Ensure compliance with all applicable laws. If a third party initiates legal action and you followed this policy, we will support your compliance.
If unsure about your research's compliance, report it through official channels before proceeding.
Safe Harbor applies only to claims within our control and does not bind independent third parties.
Contact Us
If you find a vulnerability, please contact us with detailed information.
Vulnerability Reports
View all current vulnerability reports and official audits, ordered by disclosure date.
Date | Reporter | Vulnerability | Resolution |
---|---|---|---|
July 2025 | Vaibhav Shinde | Mass account restriction via one-click signup form. | Enforce email verification on account creation. |
June 2025 | Vaibhav Shinde | User PII persistence in localStorage after logout. | Fixed localStorage reset on logout. |
May 2025 | Vaibhav Shinde | CAA DNS record missing. | Added the CAA record to our DNS. |
May 2025 | Vaibhav Shinde | Missing session invalidation on Account page password change form. | Added session invalidation. |
March 2025 | Parth Narula | Email flooding via password reset form. | Added rate limiting. |
December 2024 | Keyur Maheta | Too permissive CORS configuration. | Only allow CORS from a limited list of sources. |
June 2024 | Imran Ahmed | Missing session invalidation on cloud.paretosecurity.com. | Decreased session validity. Added session invalidation on logout and password reset. |
February 2022 | Anonymous User | Browser security headers for cloud.paretosecurity.com are not set. | Added appropriate browser headers to get "Grade A" on SecurityHeaders.com. |
September 2021 | rokki.ch | Missing /security.txt file. | Published a signed file on paretosecurity.com/security.txt. |