Banner object (1)

4217 policies in database
  Back Link to program      
Parrot Sec logo
Hall of Fame

Parrot Sec

Security GNU/Linux distribution designed with cloud pentesting and IoT security in mind.

It includes a full portable laboratory for security and digital forensics experts, but it also includes all you need to develop your own softwares or protect your privacy with anonymity and crypto tools.

Disclosure policy

To qualify for a reward under this program, you should:

  • Be the first to report a vulnerability.
  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Send a clear textual description of the report along with steps to reproduce the vulnerability.
  • Include attachments such as screenshots or proof of concept code as necessary.
  • Disclose the vulnerability report directly and exclusively to us.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

A good bug report should include the following information at a minimum:

  • List the URL and any affected parameters
  • Describe the OS, and/or app version
  • Describe the perceived impact. How could the bug potentially be exploited?

Parrot Sec is interested in security issues on our Parrot Sec Operating

System and it's Editions, reports in our web services are currently out of scope except in our main domain __.

If you want to submit a report to us but do not wish to create a HackerOne account, we allow anonymous submissions here: Submit an Anonymous Report.


We will give a Certificate to those Security Researchers who discovers Security Issues on our Pentesting OS. You can check below the In Scope that we are particularly interested in hearing about.

We are focused on Vulnerabilities on our Pentesting OS

Security issues in any current release of Parrot Sec OS. This includes:

  • Full Edition
  • Lite/Home Edition
  • Air Edition
  • Cloud Edition
  • Studio Edition
  • Embedded Devices and IoT


  • Local Root Exploit ( Parrot Sec OS )
  • Privilege Escalation
  • RCE
  • XSS
  • Any Injections (SQLi, SSI, HTML, etc.)
  • Authorization flaws/Access Control Bypasses (e.g. being able to perform security-sensitive actions as a Restricted User)

Note: We have a low priority on our website, only valid reports on our main domain __will be rewarded by points.


  • Parrotsec Subdomains
  • Attacks requiring physical access to a user's device.
  • Third Party App's Bugs/Vulnerabilities that may affect our Web Services.
  • Vulnerabilities in outdated versions of Parrot Sec OS and others.
  • Theoretical Bugs without Proof of Concept.
  • Issues that do not have any impact on the general public.
  • Missing security best practices that do not directly lead to a vulnerability
  • Cookie reuse on our website (We already know that).
  • Login/Logout CSRF
  • Missing Security Headers
  • Missing SPF, DMARC issues.
  • Bugs/Vulnerability from Scanners without a Proof of Exploitation
  • Bugs that already reported in our Github Page __
  • User Enumeration
  • Text Injecttion / Content Spoofing
  • Clickjacking
  • HttpOnly and Secure cookie flags
  • SSL/TLS related (such as HSTS, GET over HTTP, Password sent in HTTP)
  • Directory Listings
  • Captcha Bypass


While researching, we'd like to ask you to refrain from:

  • Denial of service
  • Spamming
  • Social engineering (including phishing) of Parrot Sec staff or contractors
  • Any physical attempts against Parrot Sec property or data centers
  • Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.

Thank you for helping keep Parrot Sec and our users safe!

In Scope

Scope Type Scope Name

Parrot Security OS


Out of Scope

Scope Type Scope Name


This program leverage 3 scopes, in 2 scopes categories.

FireBounty © 2015-2020

Legal notices