Parchment, the market leader in electronic credential exchange, is dedicated to helping lifelong learners around the world turn credentials into opportunities. As a mission driven organization, we take this responsibility seriously, and are committed to being a good custodian of learner and member data and take all reasonable and appropriate countermeasures to ensure data security, privacy, confidentiality, integrity and availability.
We encourage responsible reporting of any potential areas for improvement or vulnerabilities that may be found in our applications.
Please review these guidelines before exploring or reporting any vulnerabilities. This program is in place for all of Parchment’s products and services.
Please note, this policy only applies to your direct interactions with Parchment System(s) and Product(s). We cannot and do not authorize security research on behalf of other entities or other third party systems and products.
Do not introduce malware into our systems
Do not make changes to our systems
Do not attempt to access anyone else’s data or personal information including by exploiting a vulnerability. If during your testing you interacted with or obtained access to data or personal information of others, you must:
Stop your testing immediately and cease any activity that involves the data or personal information relating to the potential vulnerability.
Do not save, copy, store, transfer, disclose or otherwise retain the data or personal information.
Alert Parchment immediately and support our investigation and mitigation efforts.
Do not initiate a fraudulent financial transaction
Do not store, share, compromise or destroy Parchment LLC and Parchment LLC subsidiaries, customers data
Provide a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during discovery (the detailed summary will allow us to reproduce the vulnerability)
Do not compromise the privacy or safety of our customers and the operation of our services
Do not violate any national, state, or local law or regulation
Do not publicly disclose vulnerability details without Parchment written permission
Do not deploy automated scans on Parchment resources (e.g., Parchment owned IPs domains)
You must not be currently located in or otherwise ordinarily resident in Cuba, Iran, North Korea, Sudan, Syria or Crimea, or any other sanctioned country
You must not be on a U.S. Government list of sanctioned individuals (including a Specially Designated Nationals List)
You are not nor have been within the last six (6) months an employee or an immediate family member of an employee of Parchment or its subsidiaries
You are not now nor have been a vendor or contractor of Parchment
Agree to participate in testing mitigation effectiveness and coordinating disclosure/release/publication of your finding, if Parchment requests such participation
You are at least 18 years old
Any services hosted by 3rd party providers and services are excluded from scope.
In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:
Findings from physical testing such as office access (e.g. open doors, tailgating)
Findings derived primarily from social engineering (e.g. phishing, vishing)
Findings from applications or systems not listed in the ‘Scope’ section
UI and UX bugs and spelling mistakes
Network-level Denial of Service (DoS/DDoS) vulnerabilities
Brute force attacks
Third-party bugs or defects
If you believe you’ve found a security vulnerability in one of our products or platforms please contact us by emailing email@example.com. Please include the following details with your report:
The name(s) of the Parchment product or technology
The potential impact of the vulnerability
Description of the location and potential impact of the vulnerability
A detailed description of the steps required to reproduce the vulnerability (including POC scripts, screenshots, and/or compressed screen captures)
Details we DO NOT want to receive:
Personal Identifiable Information
Credit card holder data
Transcript or other Credential Data
If you choose not to email details of your finding, please contact us at firstname.lastname@example.org and we will work with you to identify a method to securely transmit your vulnerability report
Upon submission of a potential vulnerability report and subject to your compliance with all applicable guidelines set forth in this policy, the Parchment security team and associated development organizations will use reasonable efforts to:
Respond in a timely manner, acknowledging receipt of your submission
Provide an estimate time frame for addressing the reported potential vulnerability
Parchment’s policy is to address vulnerabilities that it determines in its sole discretion to be critical within ninety (90) days from the date the vulnerability is validated by Parchment
Notify you upon fixing the vulnerability
Continually evaluating the our systems and programs for their effectiveness