Responsible Vulnerability Disclosure

Last update: January 28, 2025

Introduction

Pareto Security welcomes feedback from security researchers and the public to enhance our security. If you find a vulnerability, privacy issue, or other security concern in our assets, please report it following this policy.

Systems in Scope

This policy applies to all digital assets owned, operated, or maintained by Pareto Security.

Out of Scope

A vulnerability is a weakness in our products or infrastructure that could affect confidentiality, integrity, or availability. The following are not considered vulnerabilities:

• Account enumeration, XMLRPC, DoS and other non-critical vulnerabilities on https://paretosecurity.com/blog;
• Missing MTA-STS DNS record;
• Missing domain lock flag;
• No immediate OAuth session invalidation -- happens in a few hours;
• Theoretical issues with no realistic exploit;
• Allowed weak passwords, as our app nudges people to use a password manager;
• Clickjacking on unauthenticated or static pages.
• Leaks to Sentry.io -- they are auto-scrubbed on the receiving end;
• Assets or equipment not owned by Pareto Security.

Our Commitments

When you report a vulnerability, you can expect us to:

• Respond promptly and validate your report;
• Keep you informed about the vulnerability's progress;
• Remediate vulnerabilities promptly within our constraints;
• Provide Safe Harbor for your good-faith research.

Our Expectations

To participate in our vulnerability disclosure program, please:

• Follow this policy and relevant agreements;
• Report vulnerabilities promptly;
• Avoid violating privacy, disrupting systems, or harming users;
• Use only official channels for communication;
• Allow at least 90 days to resolve issues before public disclosure;
• Test only in-scope systems and respect out-of-scope areas;
• Limit data access to what’s necessary and stop if you encounter sensitive information;
• Use only your own test accounts or those with explicit permission;
• Avoid extortion.

Exclusions

Do not:

• Cause denial of service;
• Interact with accounts without permission;
• Test contact and support forms.

Safe Harbor

Research conducted under this policy is:

• Protected under applicable anti-hacking and anti-circumvention laws;
• Exempt from certain Terms of Service restrictions related to security research;
• Considered lawful and conducted in good faith.

Ensure compliance with all applicable laws. If a third party initiates legal action and you followed this policy, we will support your compliance.

If unsure about your research's compliance, report it through official channels before proceeding.

Safe Harbor applies only to claims within our control and does not bind independent third parties.

Contact Us

If you find a vulnerability, please contact us with detailed information.

Vulnerability Reports

View all current vulnerability reports and official audits, ordered by disclosure date.