Parchment, the market leader in electronic credential exchange, is dedicated to helping lifelong learners around the world turn credentials into opportunities. As a mission driven organization, we take this responsibility seriously, and are committed to being a good custodian of learner and member data and take all reasonable and appropriate countermeasures to ensure data security, privacy, confidentiality, integrity and availability.
We encourage responsible reporting of any potential areas for improvement or vulnerabilities that may be found in our applications.
Please review these guidelines before exploring or reporting any vulnerabilities. This program is in place for all of Parchment’s products and services.
Please note, this policy only applies to your direct interactions with Parchment System(s) and Product(s). We cannot and do not authorize security research on behalf of other entities or other third party systems and products.
Do not introduce malware into our systems
Do not make changes to our systems
Do not attempt to access anyone else’s data or personal information including by exploiting a vulnerability. If during your testing you interacted with or obtained access to data or personal information of others, you must:
Stop your testing immediately and cease any activity that involves the data or personal information relating to the potential vulnerability.
Do not save, copy, store, transfer, disclose or otherwise retain the data or personal information.
Alert Parchment immediately and support our investigation and mitigation efforts.
Do not initiate a fraudulent financial transaction
Do not store, share, compromise or destroy Parchment LLC and Parchment LLC subsidiaries, customers data
Provide a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during discovery (the detailed summary will allow us to reproduce the vulnerability)
Do not compromise the privacy or safety of our customers and the operation of our services
Do not violate any national, state, or local law or regulation
Do not publicly disclose vulnerability details without Parchment written permission
Do not deploy automated scans on Parchment resources (e.g., Parchment owned IPs domains)
You must not be currently located in or otherwise ordinarily resident in Cuba, Iran, North Korea, Sudan, Syria or Crimea, or any other sanctioned country
You must not be on a U.S. Government list of sanctioned individuals (including a Specially Designated Nationals List)
You are not nor have been within the last six (6) months an employee or an immediate family member of an employee of Parchment or its subsidiaries
You are not now nor have been a vendor or contractor of Parchment
Agree to participate in testing mitigation effectiveness and coordinating disclosure/release/publication of your finding, if Parchment requests such participation
You are at least 18 years old
Any services hosted by 3rd party providers and services are excluded from scope.
In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:
Findings from physical testing such as office access (e.g. open doors, tailgating)
Findings derived primarily from social engineering (e.g. phishing, vishing)
Findings from applications or systems not listed in the ‘Scope’ section
UI and UX bugs and spelling mistakes
Network-level Denial of Service (DoS/DDoS) vulnerabilities
Brute force attacks
Third-party bugs or defects
If you believe you’ve found a security vulnerability in one of our products or platforms please contact us by emailing security@parchment.com. Please include the following details with your report:
The name(s) of the Parchment product or technology
The potential impact of the vulnerability
Description of the location and potential impact of the vulnerability
A detailed description of the steps required to reproduce the vulnerability (including POC scripts, screenshots, and/or compressed screen captures)
Details we DO NOT want to receive:
Personal Identifiable Information
Credit card holder data
Transcript or other Credential Data
If you choose not to email details of your finding, please contact us at security@parchment.com and we will work with you to identify a method to securely transmit your vulnerability report
Upon submission of a potential vulnerability report and subject to your compliance with all applicable guidelines set forth in this policy, the Parchment security team and associated development organizations will use reasonable efforts to:
Respond in a timely manner, acknowledging receipt of your submission
Provide an estimate time frame for addressing the reported potential vulnerability
Parchment’s policy is to address vulnerabilities that it determines in its sole discretion to be critical within ninety (90) days from the date the vulnerability is validated by Parchment
Notify you upon fixing the vulnerability
Continually evaluating the our systems and programs for their effectiveness
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
__sharethis_cookie_test__ | session | ShareThis sets this cookie to track which pages are being shared and by whom. |
bcookie | 1 year | LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID. |
bscookie | 1 year | LinkedIn sets this cookie to store performed actions on the website. |
lang | session | LinkedIn sets this cookie to remember a user's language setting. |
li_gc | 5 months 27 days | This is a cookie from LinkedIn and is used for storing visitors' consent regarding the use of cookies for non-essential purposes |
lidc | 1 day | LinkedIn sets the lidc cookie to facilitate data center selection. |
liveagent_oref | 1 year | This cookie is set by LiveAgent to allow Live Chat assistance for existing customers. |
liveagent_ptid | 1 year | LiveAgent sets this cookie to link previous chats and transcripts from a single visitor. |
liveagent_sid | session | LiveAgent sets this cookie to capture a unique pseudonymous ID when a user requests a chat during an active session. |
liveagent_vc | 1 year | This cookie is set by LiveAgent to allow Live Chat assistance for existing customers. |
NextPage | past | This cookie tracks the previous page to allow users to go back and forth between pages using the user interface buttons. |
UserMatchHistory | 1 month | LinkedIn sets this cookie for LinkedIn Ads ID syncing. |
X-Salesforce-CHAT | session | This cookie is set by LiveAgent to allow Live Chat assistance for existing customers. |
Cookie | Duration | Description |
---|---|---|
_clck | 1 year | Persists the Clarity User ID and preferences, unique to that site, on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID. |
_clsk | session | Connects multiple page views by a user into a single Clarity session recording. |
_ga | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
_ga_N0Q7GW0J6L | 2 years | This cookie is installed by Google Analytics. |
_gat_gtag_UA_335339_11 | 2 hours | Set by Google to distinguish users. |
_gat_UA-335339-11 | 1 minute | A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to. |
_gcl_au | 3 months | Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services. |
_gid | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
_hjAbsoluteSessionInProgress | 30 minutes | Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie. |
_hjFirstSeen | 30 minutes | Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user. |
_hjIncludedInPageviewSample | 2 minutes | Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit. |
_hjIncludedInSessionSample | 2 minutes | Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit. |
_hjSession_405366 | 30 minutes | These cookies ensure hotjar.com and its features work correctly. These include cookies that help us monitor site traffic and analytics, as well as cookies that enable us to run tests and optimize our site’s experience. |
_hjSessionUser_405366 | 1 year | These cookies ensure hotjar.com and its features work correctly. These include cookies that help us monitor site traffic and analytics, as well as cookies that enable us to run tests and optimize our site’s experience. |
AnalyticsSyncHistory | 1 month | No description |
ANONCHK | 10 minutes | The Microsoft Clarity ANONCHK cookie, indicates whether MUID is transferred to ANID, which is a cookie used for advertising. Clarity doesn't use ANID and so this is always set to 0 indicating not for advertising. |
CLID | 1 year | Used by Microsoft Clarity. The cookie is set by embedded Microsoft Clarity scripts. The purpose of this cookie is for heatmap and session recording. |
CONSENT | 2 years | YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data. |
disqus_unique | 1 year | Set to record internal statistics for anonymous visitors. |
loglevel | never | Collects data on visitor interaction with the website's video-content - This data is used to make the website's video-content more relevant towards the visitor. |
SM | session | This Microsoft Clarity cookie is used in synchronizing the MUID across Microsoft domains. |
SRM_B | 1 year 24 days | Used by Microsoft Clarity as a unique ID for visitors. |
ti_ | 2 years | This cookie is set by Triblio to track the way a visitor uses the website and to monitor the performance of marketing campaigns. |
vuid | 2 years | Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website. |
Cookie | Duration | Description |
---|---|---|
__jid | 30 minutes | Cookie used to remember the user's Disqus login credentials across websites that use Disqus. |
AWSALB | 7 days | AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target. |
Cookie | Duration | Description |
---|---|---|
_fbp | 3 months | This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website. |
bito | 1 year 1 month | This cookie is set by Beeswax for advertisement purposes. |
bitoIsSecure | 1 year 1 month | Beeswax sets this cookie for targeting and advertising. The cookie is used to serve the user with relevant advertisements based on real time bidding. |
fr | 3 months | Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin. |
IDE | 1 year 24 days | Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile. |
MUID | 1 year 24 days | Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations. |
test_cookie | 15 minutes | The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies. |
tuuid | 2 years | The tuuid cookie, set by BidSwitch, stores an unique ID to determine what adverts the users have seen if they have visited any of the advertiser's websites. The information is used to decide when and how often users will see a certain banner. |
tuuid_lu | 2 years | This cookie, set by BidSwitch, stores a unique ID to determine what adverts the users have seen while visiting an advertiser's website. This information is then used to understand when and how often users will see a certain banner. |
VISITOR_INFO1_LIVE | 5 months 27 days | A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface. |
YSC | session | YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages. |
yt-remote-connected-devices | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt-remote-device-id | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt.innertube::nextId | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
yt.innertube::requests | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |