Responsible Disclosure

Introduction Statement

Parchment, the market leader in electronic credential exchange, is dedicated to helping lifelong learners around the world turn credentials into opportunities. As a mission driven organization, we take this responsibility seriously, and are committed to being a good custodian of learner and member data and take all reasonable and appropriate countermeasures to ensure data security, privacy, confidentiality, integrity and availability.

We encourage responsible reporting of any potential areas for improvement or vulnerabilities that may be found in our applications.

Please review these guidelines before exploring or reporting any vulnerabilities. This program is in place for all of Parchment’s products and services.

Please note, this policy only applies to your direct interactions with Parchment System(s) and Product(s). We cannot and do not authorize security research on behalf of other entities or other third party systems and products.

Guidelines

Do not introduce malware into our systems
Do not make changes to our systems
Do not attempt to access anyone else’s data or personal information including by exploiting a vulnerability. If during your testing you interacted with or obtained access to data or personal information of others, you must:
- Stop your testing immediately and cease any activity that involves the data or personal information relating to the potential vulnerability.
- Do not save, copy, store, transfer, disclose or otherwise retain the data or personal information.
- Alert Parchment immediately and support our investigation and mitigation efforts.
Do not initiate a fraudulent financial transaction
Do not store, share, compromise or destroy Parchment LLC and Parchment LLC subsidiaries, customers data
Provide a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during discovery (the detailed summary will allow us to reproduce the vulnerability)
Do not compromise the privacy or safety of our customers and the operation of our services
Do not violate any national, state, or local law or regulation
Do not publicly disclose vulnerability details without Parchment written permission
Do not deploy automated scans on Parchment resources (e.g., Parchment owned IPs domains)
You must not be currently located in or otherwise ordinarily resident in Cuba, Iran, North Korea, Sudan, Syria or Crimea, or any other sanctioned country
You must not be on a U.S. Government list of sanctioned individuals (including a Specially Designated Nationals List)
You are not nor have been within the last six (6) months an employee or an immediate family member of an employee of Parchment or its subsidiaries
You are not now nor have been a vendor or contractor of Parchment
Agree to participate in testing mitigation effectiveness and coordinating disclosure/release/publication of your finding, if Parchment requests such participation
You are at least 18 years old

Out of Scope

Any services hosted by 3rd party providers and services are excluded from scope.

In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:

Findings from physical testing such as office access (e.g. open doors, tailgating)
Findings derived primarily from social engineering (e.g. phishing, vishing)
Findings from applications or systems not listed in the ‘Scope’ section
UI and UX bugs and spelling mistakes
Network-level Denial of Service (DoS/DDoS) vulnerabilities
Brute force attacks
Third-party bugs or defects

How to report a security vulnerability?

If you believe you’ve found a security vulnerability in one of our products or platforms please contact us by emailing security@parchment.com. Please include the following details with your report:

The name(s) of the Parchment product or technology
The potential impact of the vulnerability
Description of the location and potential impact of the vulnerability
A detailed description of the steps required to reproduce the vulnerability (including POC scripts, screenshots, and/or compressed screen captures)

Details we DO NOT want to receive:

Personal Identifiable Information
Credit card holder data
Transcript or other Credential Data
If you choose not to email details of your finding, please contact us at security@parchment.com and we will work with you to identify a method to securely transmit your vulnerability report

Parchment Commitment

Upon submission of a potential vulnerability report and subject to your compliance with all applicable guidelines set forth in this policy, the Parchment security team and associated development organizations will use reasonable efforts to:

Respond in a timely manner, acknowledging receipt of your submission
Provide an estimate time frame for addressing the reported potential vulnerability
Parchment’s policy is to address vulnerabilities that it determines in its sole discretion to be critical within ninety (90) days from the date the vulnerability is validated by Parchment
Notify you upon fixing the vulnerability
Continually evaluating the our systems and programs for their effectiveness

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__sharethis_cookie_test__	session	ShareThis sets this cookie to track which pages are being shared and by whom.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
li_gc	5 months 27 days	This is a cookie from LinkedIn and is used for storing visitors' consent regarding the use of cookies for non-essential purposes
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
liveagent_oref	1 year	This cookie is set by LiveAgent to allow Live Chat assistance for existing customers.
liveagent_ptid	1 year	LiveAgent sets this cookie to link previous chats and transcripts from a single visitor.
liveagent_sid	session	LiveAgent sets this cookie to capture a unique pseudonymous ID when a user requests a chat during an active session.
liveagent_vc	1 year	This cookie is set by LiveAgent to allow Live Chat assistance for existing customers.
NextPage	past	This cookie tracks the previous page to allow users to go back and forth between pages using the user interface buttons.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
X-Salesforce-CHAT	session	This cookie is set by LiveAgent to allow Live Chat assistance for existing customers.

Cookie	Duration	Description
_clck	1 year	Persists the Clarity User ID and preferences, unique to that site, on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_clsk	session	Connects multiple page views by a user into a single Clarity session recording.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_N0Q7GW0J6L	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_335339_11	2 hours	Set by Google to distinguish users.
_gat_UA-335339-11	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjIncludedInPageviewSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.
_hjIncludedInSessionSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit.
_hjSession_405366	30 minutes	These cookies ensure hotjar.com and its features work correctly. These include cookies that help us monitor site traffic and analytics, as well as cookies that enable us to run tests and optimize our site’s experience.
_hjSessionUser_405366	1 year	These cookies ensure hotjar.com and its features work correctly. These include cookies that help us monitor site traffic and analytics, as well as cookies that enable us to run tests and optimize our site’s experience.
AnalyticsSyncHistory	1 month	No description
ANONCHK	10 minutes	The Microsoft Clarity ANONCHK cookie, indicates whether MUID is transferred to ANID, which is a cookie used for advertising. Clarity doesn't use ANID and so this is always set to 0 indicating not for advertising.
CLID	1 year	Used by Microsoft Clarity. The cookie is set by embedded Microsoft Clarity scripts. The purpose of this cookie is for heatmap and session recording.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
disqus_unique	1 year	Set to record internal statistics for anonymous visitors.
loglevel	never	Collects data on visitor interaction with the website's video-content - This data is used to make the website's video-content more relevant towards the visitor.
SM	session	This Microsoft Clarity cookie is used in synchronizing the MUID across Microsoft domains.
SRM_B	1 year 24 days	Used by Microsoft Clarity as a unique ID for visitors.
ti_	2 years	This cookie is set by Triblio to track the way a visitor uses the website and to monitor the performance of marketing campaigns.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
__jid	30 minutes	Cookie used to remember the user's Disqus login credentials across websites that use Disqus.
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
bito	1 year 1 month	This cookie is set by Beeswax for advertisement purposes.
bitoIsSecure	1 year 1 month	Beeswax sets this cookie for targeting and advertising. The cookie is used to serve the user with relevant advertisements based on real time bidding.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
MUID	1 year 24 days	Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
tuuid	2 years	The tuuid cookie, set by BidSwitch, stores an unique ID to determine what adverts the users have seen if they have visited any of the advertiser's websites. The information is used to decide when and how often users will see a certain banner.
tuuid_lu	2 years	This cookie, set by BidSwitch, stores a unique ID to determine what adverts the users have seen while visiting an advertiser's website. This information is then used to understand when and how often users will see a certain banner.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Responsible Disclosure

Introduction Statement

Guidelines

Out of Scope

How to report a security vulnerability?

Parchment Commitment

Order

Markets

PRODUCTS

About

RESOURCES