Responsible Vulnerability Disclosure

Last update: January 28, 2025

Introduction

Pareto Security welcomes feedback from security researchers and the public to enhance our security. If you find a vulnerability, privacy issue, or other security concern in our assets, please report it following this policy.

Systems in Scope

This policy applies to all digital assets owned, operated, or maintained by Pareto Security.

Out of Scope

• Assets or equipment not owned by parties participating in this policy.

Report vulnerabilities in out-of-scope systems to the appropriate vendor or authority.

Our Commitments

When you report a vulnerability, you can expect us to:

• Respond promptly and validate your report;
• Keep you informed about the vulnerability's progress;
• Remediate vulnerabilities promptly within our constraints;
• Provide Safe Harbor for your good-faith research.

Our Expectations

To participate in our vulnerability disclosure program, please:

• Follow this policy and relevant agreements;
• Report vulnerabilities promptly;
• Avoid violating privacy, disrupting systems, or harming users;
• Use only official channels for communication;
• Allow at least 90 days to resolve issues before public disclosure;
• Test only in-scope systems and respect out-of-scope areas;
• Limit data access to what’s necessary and stop if you encounter sensitive information;
• Use only your own test accounts or those with explicit permission;
• Avoid extortion.

Exclusions

Do not:

• Cause denial of service;
• Interact with accounts without permission;
• Test contact and support forms.

Definition of a Vulnerability

A vulnerability is a weakness in our products or infrastructure that could affect confidentiality, integrity, or availability. The following are not considered vulnerabilities:

• HTTP header configurations (e.g., X-Frame-Options, CSP);
• Missing security attributes on non-sensitive cookies;
• Theoretical issues with no realistic exploit;
• Domain settings issues (e.g., SPF, DKIM);
• Clickjacking on unauthenticated or static pages.

Safe Harbor

Research conducted under this policy is:

• Protected under applicable anti-hacking and anti-circumvention laws;
• Exempt from certain Terms of Service restrictions related to security research;
• Considered lawful and conducted in good faith.

Ensure compliance with all applicable laws. If a third party initiates legal action and you followed this policy, we will support your compliance.

If unsure about your research's compliance, report it through official channels before proceeding.

Safe Harbor applies only to claims within our control and does not bind independent third parties.

Contact Us

If you find a vulnerability, please contact us with detailed information.

Vulnerability Reports

View all current vulnerability reports and official audits, ordered by disclosure date.