Vulnerability Disclosure Policy

Last Updated: December 2024

Parallel Labs is committed to ensuring the security of our customers and their data. We value the contributions of security researchers and welcome responsible disclosure of vulnerabilities.

Scope

This policy applies to vulnerabilities discovered in:

  • parallellabs.app and its subdomains
  • Parallel Labs mobile applications
  • Parallel Labs APIs

Out of Scope

  • Third-party services and applications
  • Social engineering attacks
  • Physical security issues
  • Denial of Service (DoS/DDoS) attacks
  • Spam or phishing attempts

Guidelines for Researchers

When conducting security research, we ask that you:

Do

  • Report vulnerabilities promptly via security@parallellabs.app
  • Provide sufficient detail to reproduce the vulnerability
  • Allow us reasonable time (90 days) to address the issue before public disclosure
  • Act in good faith to avoid privacy violations, data destruction, or service disruption
  • Only interact with accounts you own or have explicit permission to test

Do Not

  • Access, modify, or delete data belonging to other users
  • Perform actions that could harm the availability of our services
  • Use automated scanning tools without prior approval
  • Publicly disclose vulnerabilities before we’ve had time to address them
  • Demand payment or compensation as a condition for reporting

Our Commitment

When you report a vulnerability in accordance with this policy, we commit to:

  • Acknowledge your report within 48 hours
  • Communicate openly about the status of your report
  • Work to remediate valid vulnerabilities in a timely manner
  • Recognize your contribution in our Hall of Fame (with your permission)
  • Not pursue legal action against researchers acting in good faith

Safe Harbor

We consider security research conducted in accordance with this policy to be:

  • Authorized concerning any applicable anti-hacking laws
  • Authorized concerning any relevant anti-circumvention laws
  • Exempt from restrictions in our Terms of Service that would interfere with security research

We will not pursue civil or criminal action, or send notice to law enforcement, for security research conducted in good faith according to this policy.

Contact

For security-related inquiries: