Introduction

Parapluie Creative is dedicated to supporting the field of cybersecurity with every product we develop. This policy describes how Parapluie will report vulnerabilities to vendors of products we use, and how we accept disclosures of vulnerabilities of products we develop, maintain, deploy, manage, and publish.

Vulnerability Reporting Policy

In the event that we discover a vulnerability in a product we develop, maintain, deploy, manage or publish, Parapluie Creative will take the following actions:

If the product is not maintained or developed by Parapluie Creative, we will:

First, notify the vendor of the vulnerability in their product, including steps on how to recreate the flaw. The vendor will be provided 2 weeks (14 days) to respond to the vulnerability. If they do not respond within two weeks, we will disclose the vulnerability at https://parapluie.dev/vulnerability-disclosure.

If the vendor responds, Parapluie Creative will provide them with 3 months (90 days) to remedy the vulnerability. The vulnerability will then be disclosed at https://parapluie.dev/vulnerabilies. If the vendor is a Mitre CVE CNA, the CVE number of the vulnerability will be associated with our disclosure. If the vendor is not a Mitre CVE CNA, Parapluie Creative will assign a CVE number 2 weeks (14 days) after discovery of the vulnerability.

Notify potentially affected Parapluie Creative Customers 2 weeks (14 days) after discovery that a security vulnerability in the product has been discovered. We will not disclose the nature of the vulnerability until the date of our public disclosure.

In the event that Parapluie Creative is awarded a Bug Bounty for the discovery of a vulnerability five (5%) percent of the bounty will be donated to a charity of Parapluie Creative’s choice.

If the product is maintained or developed by Parapluie Creative, we will:

First notify customers affected by the vulnerability immediately upon discovery of the vulnerability, of the nature of the vulnerability. Details of the vulnerability will not be disclosed until 90 days after the vulnerability has been discovered.

Report the Vulnerability as a CVE to Mitre’s CVE database.

Issue a report on our findings at https://parapluie.dev/vulnerabilities within 90 days of fully repairing the bug.

In our sole discretion, we may choose to award the first reporter of a vulnerability within a Parapluie Creative product with a bounty. The award value will be decided at the sole discretion of Parapluie Creative.

Updates and Review

This policy may be updated at anytime and without notice. Parapluie Creative is committed to ensuring this policy remains up to date and this policy will be reviewed annually on its date of publishing. This policy was published on 08-26-2022, and will be reviewed again on 08-26-2023.