Security GNU/Linux distribution designed with cloud pentesting and IoT
security in mind.
It includes a full portable laboratory for security and digital forensics
experts, but it also includes all you need to develop your own softwares or
protect your privacy with anonymity and crypto tools.
To qualify for a reward under this program, you should:
- Be the first to report a vulnerability.
- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
- Send a clear textual description of the report along with steps to reproduce the vulnerability.
- Include attachments such as screenshots or proof of concept code as necessary.
- Disclose the vulnerability report directly and exclusively to us.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
A good bug report should include the following information at a minimum:
- List the URL and any affected parameters
- Describe the OS, and/or app version
- Describe the perceived impact. How could the bug potentially be exploited?
Parrot Sec is interested in security issues on our Parrot Sec Operating
System and it's Editions, reports in our web services are currently out of
scope except in our main domain www.parrotsec.org
If you want to submit a report to us but do not wish to create a HackerOne
account, we allow anonymous submissions here: Submit an Anonymous
We will give a Certificate to those Security Researchers who discovers
Security Issues on our Pentesting OS. You can check below the In Scope
that we are particularly interested in hearing about.
We are focused on Vulnerabilities on our Pentesting OS
Security issues in any current release of Parrot Sec OS. This includes:
- Full Edition
- Lite/Home Edition
- Air Edition
- Cloud Edition
- Studio Edition
- Embedded Devices and IoT
- Local Root Exploit ( Parrot Sec OS )
- Privilege Escalation
- Any Injections (SQLi, SSI, HTML, etc.)
- Authorization flaws/Access Control Bypasses (e.g. being able to perform security-sensitive actions as a Restricted User)
Note: We have a low priority on our website, only valid reports on our
main domain parrotsec.org __will be rewarded by
- Parrotsec Subdomains
- Attacks requiring physical access to a user's device.
- Third Party App's Bugs/Vulnerabilities that may affect our Web Services.
- Vulnerabilities in outdated versions of Parrot Sec OS and others.
- Theoretical Bugs without Proof of Concept.
- Issues that do not have any impact on the general public.
- Missing security best practices that do not directly lead to a vulnerability
- Cookie reuse on our website (We already know that).
- Login/Logout CSRF
- Missing Security Headers
- Missing SPF, DMARC issues.
- Bugs/Vulnerability from Scanners without a Proof of Exploitation
- Bugs that already reported in our Github Page __
- User Enumeration
- Text Injecttion / Content Spoofing
- HttpOnly and Secure cookie flags
- SSL/TLS related (such as HSTS, GET over HTTP, Password sent in HTTP)
- Directory Listings
- Captcha Bypass
While researching, we'd like to ask you to refrain from:
- Denial of service
- Social engineering (including phishing) of Parrot Sec staff or contractors
- Any physical attempts against Parrot Sec property or data centers
- Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.
Thank you for helping keep Parrot Sec and our users safe!