Responsible Disclosure · PartsPerk

Responsible Disclosure Program

PartsPerk LLC welcomes coordinated disclosure of security vulnerabilities affecting the PartsPerk platform. This program defines the scope, ground rules, and safe-harbor commitments for security researchers acting in good faith.

In scope

*.partsperk.com web properties (production).
Public APIs at api.partsperk.com.
Mobile and desktop client builds distributed by PartsPerk LLC.
Third-party services we operate that we publicly attribute.

Out of scope

Denial-of-service or stress-testing without prior written approval.
Social engineering of staff, suppliers, or customers.
Physical attacks on offices, data centers, or hardware.
Findings derived from spam, phishing, or unsolicited content posted by third parties.
Vulnerabilities requiring a stolen or rooted device with prior physical access.
Cookie / session-issue findings without a demonstrable security impact.

Ground rules

Test only against accounts and data you own or have explicit permission to test.
Avoid privacy violations, service disruption, and destruction of data.
Do not publicly disclose a vulnerability until we have had a reasonable opportunity to fix it.
Do not extort, threaten, or demand payment as a condition of reporting.

Safe harbor

Good-faith research is welcome

If you act in good faith, follow this policy, and stay within scope, PartsPerk LLC will not pursue legal action against you under the Computer Fraud and Abuse Act, the DMCA, or analogous laws, and will treat your testing as authorized for purposes of those statutes. We may also acknowledge your contribution publicly with your permission.

Disclosure process

Email security@partsperk.com with a clear description, reproduction steps, and expected impact. PGP encryption available on request.
We acknowledge within 2 business days, triage within 5 business days, and assign a severity using a CVSS-aligned rubric.
We provide status updates at least every 14 days until resolution.
Coordinated public disclosure — typically within 90 days of confirmed report — once the fix is deployed and customers have had reasonable time to update.

Rewards

We do not currently operate a paid bounty program, but high-quality reports are eligible for swag, recognition, and an entry on our hall-of-fame on request.

Submit a vulnerability report

Send a report to security@partsperk.com. PGP encryption available on request. Acknowledgement within two business days.

Email the security team Back to Trust Center

PartsPerk LLC · Delaware, United States · Doc /security/responsible-disclosure · v1.0

Responsible Disclosure Program

In scope

*.partsperk.com web properties (production).
Public APIs at api.partsperk.com.
Mobile and desktop client builds distributed by PartsPerk LLC.
Third-party services we operate that we publicly attribute.

Out of scope

Denial-of-service or stress-testing without prior written approval.
Social engineering of staff, suppliers, or customers.
Physical attacks on offices, data centers, or hardware.
Findings derived from spam, phishing, or unsolicited content posted by third parties.
Vulnerabilities requiring a stolen or rooted device with prior physical access.
Cookie / session-issue findings without a demonstrable security impact.

Ground rules

Test only against accounts and data you own or have explicit permission to test.
Avoid privacy violations, service disruption, and destruction of data.
Do not publicly disclose a vulnerability until we have had a reasonable opportunity to fix it.
Do not extort, threaten, or demand payment as a condition of reporting.

Safe harbor

Good-faith research is welcome

Disclosure process

Email security@partsperk.com with a clear description, reproduction steps, and expected impact. PGP encryption available on request.
We acknowledge within 2 business days, triage within 5 business days, and assign a severity using a CVSS-aligned rubric.
We provide status updates at least every 14 days until resolution.
Coordinated public disclosure — typically within 90 days of confirmed report — once the fix is deployed and customers have had reasonable time to update.

Rewards

We do not currently operate a paid bounty program, but high-quality reports are eligible for swag, recognition, and an entry on our hall-of-fame on request.

Submit a vulnerability report

Send a report to security@partsperk.com. PGP encryption available on request. Acknowledgement within two business days.

Email the security team Back to Trust Center

PartsPerk LLC · Delaware, United States · Doc /security/responsible-disclosure · v1.0

Responsible Disclosure Program

In scope

Out of scope

Ground rules

Safe harbor

Disclosure process

Rewards

Submit a vulnerability report

Related

Responsible Disclosure Program

In scope

Out of scope

Ground rules

Safe harbor

Disclosure process

Rewards

Submit a vulnerability report

Related