Skip to content
Parachute

Vulnerability disclosure policy

At Parachute, we take security seriously and we value the work of security researchers who help keep our platform and users safe. If you believe you’ve found a security vulnerability, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to fix the issue promptly.

We do not offer monetary rewards for vulnerability disclosures. This is not a bug bounty. We recognise valid findings on our wall of fame.

Systems in scope

Section titled “Systems in scope”
  • goparachute.ai and all subdomains
  • help.goparachute.ai

Out of scope

Section titled “Out of scope”

The following are not in scope for this policy:

  • Third-party services and websites (e.g. status pages, chat services)
  • Denial of service (DoS/DDoS) attacks
  • Social engineering or phishing attacks against Parachute staff
  • Physical attacks against Parachute offices or data centres
  • Vulnerabilities that require unlikely or complex user interaction
  • Reports of outdated software versions without a demonstrated exploit
  • Cipher or TLS configuration weaknesses without a practical attack

Our commitments

Section titled “Our commitments”

When you report a vulnerability to us, we commit to:

  • Acknowledge your report within 3 business days
  • Keep you informed of our progress as we investigate and remediate
  • Work to fix valid issues in a timely manner based on severity
  • Provide safe harbour - we will not pursue legal action against researchers who follow this policy
  • Recognise your contribution on our wall of fame if you wish

What we ask of you

Section titled “What we ask of you”
  • Report promptly - let us know as soon as you discover a potential vulnerability
  • Use official channels - report all findings to security@goparachute.ai
  • Give us time - allow reasonable time for us to investigate and remediate before any public disclosure
  • Minimise impact - only access data necessary to demonstrate the vulnerability; do not modify or delete data
  • Stop if you find personal data - if you encounter any personal or sensitive data during testing, stop immediately and report what you’ve found
  • Act in good faith - do not exploit vulnerabilities beyond what is necessary for a proof of concept

How to report

Section titled “How to report”

Send your report to security@goparachute.ai with:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any supporting evidence (screenshots, logs, proof of concept)
  • Your contact details (so we can follow up)

Safe harbour

Section titled “Safe harbour”

Parachute supports safe harbour for security researchers who:

  • Make a good faith effort to avoid privacy violations, data destruction, and service interruption
  • Only interact with accounts they own or with explicit permission from the account holder
  • Follow this disclosure policy

We will not initiate legal action against researchers who discover and report vulnerabilities in accordance with this policy. This includes claims under anti-hacking laws and anti-circumvention provisions.

If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in accordance with this policy.

Was this page helpful?