Responsible Disclosure

Introduction Statement

Parchment, the market leader in electronic credential exchange, is dedicated to helping lifelong learners around the world turn credentials into opportunities. As a mission driven organization, we take this responsibility seriously, and are committed to being a good custodian of learner and member data and take all reasonable and appropriate countermeasuresto ensure data security, privacy, confidentiality, integrity and availability.

We encourage responsible reporting of any potential areas for improvement or vulnerabilities that may be found in our applications.

Please review these guidelines before exploring or reporting any vulnerabilities. This program is in place for all of Parchment’s products and services.

Please note, this policy only applies to your direct interactions with Parchment System(s) and Product(s). We cannot and do not authorize security research on behalf of other entities or other third party systems and products.

Guidelines

  • Do not introduce malware into our systems
  • Do not make changes to our systems
  • Do not attempt to access anyone else’s data or personal information including by exploiting a vulnerability. If during your testing you interacted with or obtained access to data or personal information of others, you must:
    • Stop your testing immediately and cease any activity that involves the data or personal information relating to the potential vulnerability.
    • Do not save, copy, store, transfer, disclose or otherwise retain the data or personal information.
    • Alert Parchment immediately and support our investigation and mitigation efforts.
  • Do not initiate a fraudulent financial transaction
  • Do not store, share, compromise or destroy Parchment LLC and Parchment LLC subsidiaries, customers data
  • Provide a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during discovery (the detailed summary will allow us to reproduce the vulnerability)
  • Do not compromise the privacy or safety of our customers and the operation of our services
  • Do not violate any national, state, or local law or regulation
  • Do not publicly disclose vulnerability details without Parchment written permission
  • Do not deploy automated scans on Parchment resources (e.g., Parchment owned IPs domains)
  • You must not be currently located in or otherwise ordinarily resident in Cuba, Iran, North Korea, Sudan, Syria or Crimea, or any other sanctioned country
  • You must not be on a U.S. Government list of sanctioned individuals (including a Specially Designated Nationals List)
  • You are not nor have been within the last six (6) months an employee or an immediate family member of an employee of Parchment or its subsidiaries
  • You are not now nor have been a vendor or contractor of Parchment
  • Agree to participate in testing mitigation effectiveness and coordinating disclosure/release/publication of your finding, if Parchment requests such participation
  • You are at least 18 years old

Out of Scope

Any services hosted by 3rd party providers and services are excluded from scope.

In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:

  • Findings from physical testing such as office access (e.g. open doors, tailgating)
  • Findings derived primarily from social engineering (e.g. phishing, vishing)
  • Findings from applications or systems not listed in the ‘Scope’ section
  • UI and UX bugs and spelling mistakes
  • Network-level Denial of Service (DoS/DDoS) vulnerabilities
  • Brute force attacks
  • Third-party bugs or defects

How to report a security vulnerability?

If you believe you’ve found a security vulnerability in one of our products or platforms please contact us by emailing security@parchment.com. Please include the following details with your report:

  • The name(s) of the Parchment product or technology
  • The potential impact of the vulnerability
  • Description of the location and potential impact of the vulnerability
  • A detailed description of the steps required to reproduce the vulnerability (including POC scripts, screenshots, and/or compressed screen captures)

Details we DO NOT want to receive:

  • Personal Identifiable Information
  • Credit card holder data
  • Transcript or other Credential Data
  • If you choose not to email details of your finding, please contact us at security@parchment.com and we will work with you to identify a method to securely transmit your vulnerability report

Parchment Commitment

Upon submission of a potential vulnerability report and subject to your compliance with all applicable guidelines set forth in this policy, the Parchment security team and associated development organizations will use reasonable efforts to:

  • Respond in a timely manner, acknowledging receipt of your submission
  • Provide an estimate time frame for addressing the reported potential vulnerability
  • Parchment’s policy is to address vulnerabilities that it determines in its sole discretion to be critical within ninety (90) days from the date the vulnerability is validated by Parchment
  • Notify you upon fixing the vulnerability
  • Continually evaluating the our systems and programs for their effectiveness