Trust
Our Vulnerability Disclosure Program, and how to report responsibly.
PARI FINANCE INC., Vulnerability Disclosure & Alternative Reward Program
| Policy Document ID | SEC-POL-009 |
|---|---|
| Effective Date | June 30, 2026 |
| Version | 1.1 |
| Review Cycle | Annual |
| Approved By | Chief Executive Officer |
| Target Audit | SOC 2 Type I / Type II |
At Pari Finance Inc. (“Pari Finance”), safeguarding customer financial information and maintaining enterprise-grade platform security is central to our mission. We recognize the invaluable role that independent security researchers and the broader ethical hacking community play in identifying vulnerabilities.
This document formalizes our Vulnerability Disclosure Program (VDP) and alternative reward structure to fulfill the security infrastructure monitoring requirements mandated by the AICPA SOC 2 trust services criteria (specifically CC4.1, CC7.1, and CC7.3 regarding vulnerability management and continuous monitoring).
As an early-stage fintech company, Pari Finance does not operate a cash-based financial bounty program. Instead, we offer a robust alternative recognition framework designed to celebrate, document, and validate the professional expertise of researchers who help secure our infrastructure under strict ethical guidelines.
If a security researcher complies with the guidelines outlined in this policy when testing Pari Finance digital assets, we commit to the following:
Testing must strictly be restricted to the specific assets listed below. Any system not explicitly detailed is out-of-scope.
The following activities and mechanisms are strictly prohibited and nullify all Safe Harbor provisions:
To qualify for validation, all vulnerability findings must be communicated through the designated secure ingestion pipeline:
Pari Finance rates vulnerabilities based on the Common Vulnerability Scoring System (CVSS v3.1) and practical impact. Because we prioritize capital efficiency, rewards are non-monetary but structurally optimized to support the career, credibility, and professional profile of ethical security engineers.
| Severity | CVSS Range | Technical Examples | Alternative Incentives |
|---|---|---|---|
| Critical | 9.0 – 10.0 | Remote Code Execution (RCE), complete database bypass, cross-tenant data access, financial logic bypasses. | Top Tier Hall of Fame placement, signed CEO Letter of Commendation, LinkedIn Endorsement for technical proficiency, Priority Beta Partner access. |
| High | 7.0 – 8.9 | Stored XSS in authenticated views, broken object-level authorization (BOLA) exposing profile elements, unauthorized API access. | Hall of Fame placement, official Digital Certificate of Appreciation, technical acknowledgment on platform updates. |
| Medium | 4.0 – 6.9 | Reflected XSS, CSRF on significant actions, sub-domain takeovers, missing fundamental security headers enabling clickjacking. | Hall of Fame listing, technical validation acknowledgment via return communication. |
| Low | 0.1 – 3.9 | Version string disclosures, minor informational leakage, TLS configuration optimizations. | Standard log acknowledgment and written confirmation from the engineering team. |
Note on Professional Validation: Pari Finance understands the importance of verified credentials for independent consultants and cybersecurity students. Our Executive Leadership Team and General Counsel will happily verify alternative recognition documents for your professional portfolio or educational credit requirements upon request.
This policy serves as a foundational operational artifact for external SOC 2 auditors verifying compliance with continuous external security reviews. In accordance with internal vulnerability management protocols: