Pari logopari

Trust

Bug Bounty

Our Vulnerability Disclosure Program, and how to report responsibly.

PARI FINANCE INC., Vulnerability Disclosure & Alternative Reward Program

Policy Document IDSEC-POL-009
Effective DateJune 30, 2026
Version1.1
Review CycleAnnual
Approved ByChief Executive Officer
Target AuditSOC 2 Type I / Type II

1. Introduction & Purpose

At Pari Finance Inc. (“Pari Finance”), safeguarding customer financial information and maintaining enterprise-grade platform security is central to our mission. We recognize the invaluable role that independent security researchers and the broader ethical hacking community play in identifying vulnerabilities.

This document formalizes our Vulnerability Disclosure Program (VDP) and alternative reward structure to fulfill the security infrastructure monitoring requirements mandated by the AICPA SOC 2 trust services criteria (specifically CC4.1, CC7.1, and CC7.3 regarding vulnerability management and continuous monitoring).

As an early-stage fintech company, Pari Finance does not operate a cash-based financial bounty program. Instead, we offer a robust alternative recognition framework designed to celebrate, document, and validate the professional expertise of researchers who help secure our infrastructure under strict ethical guidelines.

2. Commitments & Safe Harbor

If a security researcher complies with the guidelines outlined in this policy when testing Pari Finance digital assets, we commit to the following:

  • Safe Harbor: We will consider your research authorized. We will not pursue legal action, law enforcement escalation, or civil litigation against you for security research conducted under this policy.
  • No Regulatory Escalation: If a third party initiates legal action against you, we will explicitly confirm to the relevant authority that your actions were authorized under our policy framework.
  • Active Collaboration: We will acknowledge your report promptly, work to understand the underlying technical defect, and communicate a path forward toward remediation.

3. Program Scope & Parameters

Testing must strictly be restricted to the specific assets listed below. Any system not explicitly detailed is out-of-scope.

3.1 In-Scope Assets

  • All primary applications hosted on *.pariapp.com
  • Core application program interfaces: api.pariapp.com
  • The Pari Finance native iOS and Android mobile production applications available via authorized app marketplaces.

3.2 Out-of-Scope Assets & Testing Methods

The following activities and mechanisms are strictly prohibited and nullify all Safe Harbor provisions:

  • Denial of Service (DoS, DDoS) attacks, volumetric load testing, or resource exhaustion validation.
  • Social engineering, phishing, spear-phishing, or vishing targeting Pari Finance corporate staff, vendors, or customer base.
  • Physical security attacks or unauthorized facility access targeting any Pari Finance corporate office, co-working space, or hosting infrastructure provider.
  • Exfiltration, modification, retention, or destruction of production client data. If a vulnerability exposes real user profiles or financial transactions, researchers must immediately halt testing and file a report.
  • Flaws inherent in third-party software, integrations, or compliance automation frameworks that do not direct risk to Pari Finance custom code or direct configurations.

4. Submission Guidelines & Reporting Process

To qualify for validation, all vulnerability findings must be communicated through the designated secure ingestion pipeline:

  • Transmission Method: Email reports directly to security@pariapp.com. We strongly recommend using PGP encryption for high-severity or exploitable submissions.
  • Required Information: Submissions must include a clear technical description of the flaw, endpoint, and specific asset impacted; step-by-step reproduction instructions, scripts, or Proof of Concept (PoC) code to safely validate the exploit; and an assessment of the potential business or technical impact (e.g., unauthorized data exposure, privilege escalation).
  • Confidentiality Agreement: Researchers must maintain strict non-disclosure. Public write-ups, blog posts, or social media statements detailing the vulnerability are prohibited until Pari Finance formally deploys a patch and grants explicit consent.

5. Evaluation & Alternative Reward Structure

Pari Finance rates vulnerabilities based on the Common Vulnerability Scoring System (CVSS v3.1) and practical impact. Because we prioritize capital efficiency, rewards are non-monetary but structurally optimized to support the career, credibility, and professional profile of ethical security engineers.

SeverityCVSS RangeTechnical ExamplesAlternative Incentives
Critical9.0 – 10.0Remote Code Execution (RCE), complete database bypass, cross-tenant data access, financial logic bypasses.Top Tier Hall of Fame placement, signed CEO Letter of Commendation, LinkedIn Endorsement for technical proficiency, Priority Beta Partner access.
High7.0 – 8.9Stored XSS in authenticated views, broken object-level authorization (BOLA) exposing profile elements, unauthorized API access.Hall of Fame placement, official Digital Certificate of Appreciation, technical acknowledgment on platform updates.
Medium4.0 – 6.9Reflected XSS, CSRF on significant actions, sub-domain takeovers, missing fundamental security headers enabling clickjacking.Hall of Fame listing, technical validation acknowledgment via return communication.
Low0.1 – 3.9Version string disclosures, minor informational leakage, TLS configuration optimizations.Standard log acknowledgment and written confirmation from the engineering team.

Note on Professional Validation: Pari Finance understands the importance of verified credentials for independent consultants and cybersecurity students. Our Executive Leadership Team and General Counsel will happily verify alternative recognition documents for your professional portfolio or educational credit requirements upon request.

6. SOC 2 Audit Mapping & Administrative Control

This policy serves as a foundational operational artifact for external SOC 2 auditors verifying compliance with continuous external security reviews. In accordance with internal vulnerability management protocols:

  • All submissions accepted into the program are tracked within our internal task management framework with tags indicating severity, response times, and remediation logs.
  • Vulnerability lifecycles are monitored automatically via integrated compliance tools to verify that critical items are mitigated within our defined SLA thresholds.
  • An annual review of this policy is conducted by executive management to adapt to changing architecture and shifting regulatory demands.

Pari Finance Inc. · Confidential & Proprietary