GNU/Linux distribution designed with cloud pentesting and IoT security in mind.
It includes a full portable laboratory for security and digital forensics experts, including everything you need to develop your own softwares or protect your privacy with anonymity and crypto tools.
| Disclosure policy |
|---|
| To qualify for a reward under this program, you should: |
- Be the first to report a vulnerability.
- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
- Send a clear textual description of the report along with steps to reproduce the vulnerability.
- Include attachments such as screenshots or proof of concept code as necessary.
- Disclose the vulnerability report directly and exclusively to us.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
A good bug report should include the following information at a minimum:
- List the URL and any affected parameters
- Describe the OS, and/or app version
- Describe the perceived impact. How could the bug potentially be exploited?
ParrotOS is interested in security issues on our operating system and its editions, reports in our web services are currently out of scope except in our main domain www.parrotsec.org.
If you want to submit a report to us but do not wish to create a HackerOne account, we allow anonymous submissions here: Submit an Anonymous Report.
| Swags |
|---|
| We will give a Certificate to those Security Researchers who discovers Security Issues on our Pentesting OS. You can check below the In Scope that we are particularly interested in hearing about. |
We are focused on Vulnerabilities on ParrotOS
Security issues in any current release of ParrotOS. This includes:
- Security Edition
- Home Edition
- Docker containers
- RaspberryPi Images
- HackTheBox Edition
- Local Root Exploit (Parrot Sec OS)
- Privilege Escalation
- RCE
- XSS
- Any Injections (SQLi, SSI, HTML, etc.)
- Authorization flaws/Access Control Bypasses (e.g. being able to perform security-sensitive actions as a Restricted User)
Note: We have a low priority on our website, only valid reports on our main domain parrotsec.org will be rewarded by points.
- Parrotsec Subdomains
- Attacks requiring physical access to a user's device.
- Third Party App's Bugs/Vulnerabilities that may affect our Web Services.
- Vulnerabilities in outdated versions of Parrot Sec OS and others.
- Theoretical Bugs without Proof of Concept.
- Issues that do not have any impact on the general public.
- Missing security best practices that do not directly lead to a vulnerability
- Cookie reuse on our website (We already know that).
- Login/Logout CSRF
- Missing Security Headers
- Missing SPF, DMARC issues.
- Bugs/Vulnerability from Scanners without a Proof of Exploitation
- Bugs that already reported in our Github Page
- User Enumeration
- Text Injecttion / Content Spoofing
- Clickjacking
- HttpOnly and Secure cookie flags
- SSL/TLS related (such as HSTS, GET over HTTP, Password sent in HTTP)
- Directory Listings
- Captcha Bypass
| Exclusions |
|---|
| While researching, we'd like to ask you to refrain from: |
- Denial of service
- Spamming
- Social engineering (including phishing) of ParrotOS staff or contractors
- Any physical attempts against ParrotOS property or data centers
- Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.
Thank you for helping keep ParrotOS and our users safe!
