[{"id":3562444,"new_policy":"# An Invitation to Security Researchers\n\nEvery company says they take security \"very seriously.\" Rather than bore anyone with banal boilerplate, here are some quick answers followed by detailed elaboration. If you have any questions about our policies, please email them to `scott@paragonie.com`.\n\n## We Practice Full Disclosure\n\nAny reports (valid or invalid) will be disclosed fully as soon as possible. This is a good security practice that we encourage more programs to adopt.\n\n## Quick Answers\n\n* There is no compulsion to disclose vulnerabilities privately, but we appreciate a head's up.\n* `security@paragonie.com` will get your reports to the right person. Our GPG  fingerprint, should you decide to encrypt your report, is `7F52 D5C6 1D12 55C7 3136  2E82 6B97 A1C2 8264 04DA`.\n* **YES**, we will reward security researchers who disclose vulnerabilities in our software.\n* In most cases, **No Proof-of-Concept Required.**\n* Please focus on the source repositories in our Github organization, **not our website** or any forks of other peoples' projects.\n* Unless it results in code execution, we're not interested in bugs with our website.\n\n## How to Report a Security Bug to Paragon Initiative Enterprises\n\n### There is no compulsion to disclose privately.\n\nWe believe vulnerability disclosure style is a personal choice and enjoy working with a diverse community. We understand and appreciate the importance of Full Disclosure in the history and practice of security research.\n\nWhile we would *like* to know about high-severity bugs before they become public knowledge, so we can fix them in a timely manner, we strongly prefer that researchers practice full disclosure like we do. **We do not believe in threatening researchers or trying to enforce vulnerability embargoes**.\n\nUltimately, if you discover a security-affecting vulnerability, what you do with it is your choice. We would like to work with people, and to celebrate and reward their skill, experience, and dedication. We appreciate being informed of our mistakes so we can learn from them and build a better product. Our goal is to empower the community.\n\n### Where to Send Security Vulnerabilities\n\nFeel free to submit them via HackerOne, or email them to our security team directly (`security@paragonie.com`). Also feel free to open a new issue on Github if you want to disclose publicly.\n\n```\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: GnuPG\n\nmQENBFUgwRUBCADcIpqNwyYc5UmY/tpx1sF/rQ3knR1YNXYZThzFV+Gmqhp1fDH5\nqBs9foh1xwI6O7knWmQngnf/nBumI3x6xj7PuOdEZUh2FwCG/VWnglW8rKmoHzHA\nivjiu9SLnPIPAgHSHeh2XD7q3Ndm3nenbjAiRFNl2iXcwA2cTQp9Mmfw9vVcw0G0\nz1o0G3s8cC8ZS6flFySIervvfSRWj7A1acI5eE3+AH/qXJRdEJ+9J8OB65p1JMfk\n6+fWgOB1XZxMpz70S0rW6IX38WDSRhEK2fXyZJAJjyt+YGuzjZySNSoQR/V6vNYn\nsyrNPCJ2i5CgZQxAkyBBcr7koV9RIhPRzct/ABEBAAG0IVNlY3VyaXR5IDxzZWN1\ncml0eUBwYXJhZ29uaWUuY29tPokBOQQTAQIAIwUCVSDBFQIbAwcLCQgHAwIBBhUI\nAgkKCwQWAgMBAh4BAheAAAoJEGuXocKCZATat2YIAIoejNFEQ2c1iaOEtSuB7Pn/\nWLbsDsHNLDKOV+UnfaCjv/vL7D+5NMChFCi2frde/NQb2TsjqmIH+V+XbnJtlrXD\nVj7yvMVal+Jqjwj7v4eOEWcKVcFZk+9cfUgh7t92T2BMX58RpgZF0IQZ6Z1R3FfC\n9Ub4X6ykW+te1q0/4CoRycniwmlQi6iGSr99LQ5pfJq2Qlmz/luTZ0UX0h575T7d\ncp2T1sX/zFRk/fHeANWSksipdDBjAXR7NMnYZgw2HghEdFk/xRDY7K1NRWNZBf05\nWrMHmh6AIVJiWZvI175URxEe268hh+wThBhXQHMhFNJM1qPIuzb4WogxM3UUD7m5\nAQ0EVSDBFQEIALNkpzSuJsHAHh79sc0AYWztdUe2MzyofQbbOnOCpWZebYsC3EXU\n335fIg59k0m6f+O7GmEZzzIv5v0i99GS1R8CJm6FvhGqtH8ZqmOGbc71WdJSiNVE\n0kpQoJlVzRbig6ZyyjzrggbM1eh5OXOk5pw4+23FFEdw7JWU0HJS2o71r1hwp05Z\nvy21kcUEobz/WWQQyGS0Neo7PJn+9KS6wOxXul/UE0jct/5f7KLMdWMJ1VgniQmm\nhjvkHLPSICteqCI04RfcmMseW9gueHQXeUu1SNIvsWa2MhxjeBej3pDnrZWszKwy\ngF45GO9/v4tkIXNMy5J1AtOyRgQ3IUMqp8EAEQEAAYkBHwQYAQIACQUCVSDBFQIb\nDAAKCRBrl6HCgmQE2jnIB/4/xFz8InpM7eybnBOAir3uGcYfs3DOmaKn7qWVtGzv\nrKpQPYnVtlU2i6Z5UO4c4jDLT/8Xm1UDz3Lxvqt4xCaDwJvBZexU5BMK8l5DvOzH\n6o6P2L1UDu6BvmPXpVZz7/qUhOnyf8VQg/dAtYF4/ax19giNUpI5j5o5mX5w80Rx\nqSXV9NdSL4fdjeG1g/xXv2luhoV53T1bsycI3wjk/x5tV+M2KVhZBvvuOm/zhJje\noLWp0saaESkGXIXqurj6gZoujJvSvzl0n9F9VwqMEizDUfrXgtD1siQGhP0sVC6q\nha+F/SAEJ0jEquM4TfKWWU2S5V5vgPPpIQSYRnhQW4b1\n=xJPW\n-----END PGP PUBLIC KEY BLOCK-----\n```\n\n### We Will Reward Security Researchers\n\nIf you report a valid security-affecting bug, we will compensate you for the time spent finding the vulnerability and reward you for being a good neighbor.\n\nCompensation will typically fall under these two categories:\n\n* Critical (Remote Code Execution, Catastrophic Cryptography Failure): $200+\n* Anything else: $1 to $199\n* Invalid bugs reports: Nothing\n\nNote that we reserve the right to be overwhelmingly generous on a case-by-case basis. ;)\n\n#### What does a \"valid\" bug mean?\n\nThere are two sides to this:\n\n1. Some have spammed projects with invalid bug reports hoping to collect bounties for pressing a button and running an automated analysis tool. This is not cool.\n2. There is a potential for the developers of a project to declare all security bug reports as invalid to save money.\n\nOur team members have an established history of reporting vulnerabilities to large open source projects. **We aren't in the business of ripping people off.** When in doubt, our policy is to err on the side of generosity.\n\n## Scope\n\nWe're only interested in the *source* repositories in the [ParagonIE](https://github.com/paragonie) organization on Github that have at least seen a version `1.0.0` stable release, not any repositories we forked (which we usually only do when fixing a security vulnerability in the upstream repository). We're not interest in third-party integration settings (i.e. Dockerfiles or .travis.yml).\n\n**IMPORTANT: CMS AIRSHIP BEFORE VERSION 2 IS NO LONGER ELIGIBLE.**\n\nWe're not interested in trivial problems with our website (e.g. \"missing SPF headers\").\n\nBugs that require a specific user agent (i.e. they only affect Internet Explorer), browser extension, ActiveX plugin, etc. will be promptly fixed, should a mitigation exist, but we are not going to pay a bounty for a bug introduced by software we don't control.\n\n### Please do *not* submit any of the following:\n\n* Any non-critical security concerns with our domain name and/or website\n* Very minor security concerns with alpha software (anything for which the latest release is not at least `1.0.0`)\n\n## No Proof-of-Concept Required\n\nWe might ask for one if we feel we do not understand some of the details pertaining to a specific vulnerability. We certainly appreciate them if you include them in your report, but we believe **the burden lies with the developer to prove their software *is* secure** rather than with the researcher to prove that it isn't.\n\nIn our experience, most bugs are simpler to fix than they are to exploit.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-10-29T01:03:46.157Z"},{"id":3561675,"new_policy":"# An Invitation to Security Researchers\n\nEvery company says they take security \"very seriously.\" Rather than bore anyone with banal boilerplate, here are some quick answers followed by detailed elaboration. If you have any questions about our policies, please email them to `scott@paragonie.com`.\n\n## We Practice Full Disclosure\n\nAny reports (valid or invalid) will be disclosed fully as soon as possible. This is a good security practice that we encourage more programs to adopt.\n\n## Quick Answers\n\n* There is no compulsion to disclose vulnerabilities privately, but we appreciate a head's up.\n* `security@paragonie.com` will get your reports to the right person. Our GPG  fingerprint, should you decide to encrypt your report, is `7F52 D5C6 1D12 55C7 3136  2E82 6B97 A1C2 8264 04DA`.\n* **YES**, we will reward security researchers who disclose vulnerabilities in our software.\n* In most cases, **No Proof-of-Concept Required.**\n* Please focus on the source repositories in our Github organization, **not our website** or any forks of other peoples' projects.\n* Unless it results in code execution, we're not interested in bugs with our website.\n\n## How to Report a Security Bug to Paragon Initiative Enterprises\n\n### There is no compulsion to disclose privately.\n\nWe believe vulnerability disclosure style is a personal choice and enjoy working with a diverse community. We understand and appreciate the importance of Full Disclosure in the history and practice of security research.\n\nWe would *like* to know about high-severity bugs before they become public knowledge, so we can fix them in a timely manner, but **we do not believe in threatening researchers or trying to enforce vulnerability embargoes**.\n\nUltimately, if you discover a security-affecting vulnerability, what you do with it is your choice. We would like to work with people, and to celebrate and reward their skill, experience, and dedication. We appreciate being informed of our mistakes so we can learn from them and build a better product. Our goal is to empower the community.\n\n### Where to Send Security Vulnerabilities\n\nFeel free to submit them via HackerOne, or email them to our security team directly (`security@paragonie.com`). Also feel free to open a new issue on Github if you want to disclose publicly.\n\n```\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: GnuPG\n\nmQENBFUgwRUBCADcIpqNwyYc5UmY/tpx1sF/rQ3knR1YNXYZThzFV+Gmqhp1fDH5\nqBs9foh1xwI6O7knWmQngnf/nBumI3x6xj7PuOdEZUh2FwCG/VWnglW8rKmoHzHA\nivjiu9SLnPIPAgHSHeh2XD7q3Ndm3nenbjAiRFNl2iXcwA2cTQp9Mmfw9vVcw0G0\nz1o0G3s8cC8ZS6flFySIervvfSRWj7A1acI5eE3+AH/qXJRdEJ+9J8OB65p1JMfk\n6+fWgOB1XZxMpz70S0rW6IX38WDSRhEK2fXyZJAJjyt+YGuzjZySNSoQR/V6vNYn\nsyrNPCJ2i5CgZQxAkyBBcr7koV9RIhPRzct/ABEBAAG0IVNlY3VyaXR5IDxzZWN1\ncml0eUBwYXJhZ29uaWUuY29tPokBOQQTAQIAIwUCVSDBFQIbAwcLCQgHAwIBBhUI\nAgkKCwQWAgMBAh4BAheAAAoJEGuXocKCZATat2YIAIoejNFEQ2c1iaOEtSuB7Pn/\nWLbsDsHNLDKOV+UnfaCjv/vL7D+5NMChFCi2frde/NQb2TsjqmIH+V+XbnJtlrXD\nVj7yvMVal+Jqjwj7v4eOEWcKVcFZk+9cfUgh7t92T2BMX58RpgZF0IQZ6Z1R3FfC\n9Ub4X6ykW+te1q0/4CoRycniwmlQi6iGSr99LQ5pfJq2Qlmz/luTZ0UX0h575T7d\ncp2T1sX/zFRk/fHeANWSksipdDBjAXR7NMnYZgw2HghEdFk/xRDY7K1NRWNZBf05\nWrMHmh6AIVJiWZvI175URxEe268hh+wThBhXQHMhFNJM1qPIuzb4WogxM3UUD7m5\nAQ0EVSDBFQEIALNkpzSuJsHAHh79sc0AYWztdUe2MzyofQbbOnOCpWZebYsC3EXU\n335fIg59k0m6f+O7GmEZzzIv5v0i99GS1R8CJm6FvhGqtH8ZqmOGbc71WdJSiNVE\n0kpQoJlVzRbig6ZyyjzrggbM1eh5OXOk5pw4+23FFEdw7JWU0HJS2o71r1hwp05Z\nvy21kcUEobz/WWQQyGS0Neo7PJn+9KS6wOxXul/UE0jct/5f7KLMdWMJ1VgniQmm\nhjvkHLPSICteqCI04RfcmMseW9gueHQXeUu1SNIvsWa2MhxjeBej3pDnrZWszKwy\ngF45GO9/v4tkIXNMy5J1AtOyRgQ3IUMqp8EAEQEAAYkBHwQYAQIACQUCVSDBFQIb\nDAAKCRBrl6HCgmQE2jnIB/4/xFz8InpM7eybnBOAir3uGcYfs3DOmaKn7qWVtGzv\nrKpQPYnVtlU2i6Z5UO4c4jDLT/8Xm1UDz3Lxvqt4xCaDwJvBZexU5BMK8l5DvOzH\n6o6P2L1UDu6BvmPXpVZz7/qUhOnyf8VQg/dAtYF4/ax19giNUpI5j5o5mX5w80Rx\nqSXV9NdSL4fdjeG1g/xXv2luhoV53T1bsycI3wjk/x5tV+M2KVhZBvvuOm/zhJje\noLWp0saaESkGXIXqurj6gZoujJvSvzl0n9F9VwqMEizDUfrXgtD1siQGhP0sVC6q\nha+F/SAEJ0jEquM4TfKWWU2S5V5vgPPpIQSYRnhQW4b1\n=xJPW\n-----END PGP PUBLIC KEY BLOCK-----\n```\n\n### We Will Reward Security Researchers\n\nIf you report a valid security-affecting bug, we will compensate you for the time spent finding the vulnerability and reward you for being a good neighbor.\n\nCompensation will typically fall under these two categories:\n\n* Critical (Remote Code Execution, Catastrophic Cryptography Failure): $200+\n* Anything else: $1 to $199\n* Invalid bugs reports: Nothing\n\nNote that we reserve the right to be overwhelmingly generous on a case-by-case basis. ;)\n\n#### What does a \"valid\" bug mean?\n\nThere are two sides to this:\n\n1. Some have spammed projects with invalid bug reports hoping to collect bounties for pressing a button and running an automated analysis tool. This is not cool.\n2. There is a potential for the developers of a project to declare all security bug reports as invalid to save money.\n\nOur team members have an established history of reporting vulnerabilities to large open source projects. **We aren't in the business of ripping people off.** When in doubt, our policy is to err on the side of generosity.\n\n## Scope\n\nWe're only interested in the *source* repositories in the [ParagonIE](https://github.com/paragonie) organization on Github that have at least seen a version `1.0.0` stable release, not any repositories we forked (which we usually only do when fixing a security vulnerability in the upstream repository). We're not interest in third-party integration settings (i.e. Dockerfiles or .travis.yml).\n\n**IMPORTANT: CMS AIRSHIP BEFORE VERSION 2 IS NO LONGER ELIGIBLE.**\n\nWe're not interested in trivial problems with our website (e.g. \"missing SPF headers\").\n\nBugs that require a specific user agent (i.e. they only affect Internet Explorer), browser extension, ActiveX plugin, etc. will be promptly fixed, should a mitigation exist, but we are not going to pay a bounty for a bug introduced by software we don't control.\n\n### Please do *not* submit any of the following:\n\n* Any non-critical security concerns with our domain name and/or website\n* Very minor security concerns with alpha software (anything for which the latest release is not at least `1.0.0`)\n\n## No Proof-of-Concept Required\n\nWe might ask for one if we feel we do not understand some of the details pertaining to a specific vulnerability. We certainly appreciate them if you include them in your report, but we believe **the burden lies with the developer to prove their software *is* secure** rather than with the researcher to prove that it isn't.\n\nIn our experience, most bugs are simpler to fix than they are to exploit.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-10-16T05:43:11.914Z"},{"id":3541588,"new_policy":"# An Invitation to Security Researchers\n\nEvery company says they take security \"very seriously.\" Rather than bore anyone with banal boilerplate, here are some quick answers followed by detailed elaboration. If you have any questions about our policies, please email them to `scott@paragonie.com`.\n\n## We Practice Full Disclosure\n\nAny reports (valid or invalid) will be disclosed fully as soon as possible. This is a good security practice that we encourage more programs to adopt.\n\n## Quick Answers\n\n* There is no compulsion to disclose vulnerabilities privately, but we appreciate a head's up.\n* `security@paragonie.com` will get your reports to the right person. Our GPG  fingerprint, should you decide to encrypt your report, is `7F52 D5C6 1D12 55C7 3136  2E82 6B97 A1C2 8264 04DA`.\n* **YES**, we will reward security researchers who disclose vulnerabilities in our software.\n* In most cases, **No Proof-of-Concept Required.**\n* Please focus on the source repositories in our Github organization, **not our website** or any forks of other peoples' projects.\n* Unless it results in code execution, we're not interested in bugs with our website.\n\n## How to Report a Security Bug to Paragon Initiative Enterprises\n\n### There is no compulsion to disclose privately.\n\nWe believe vulnerability disclosure style is a personal choice and enjoy working with a diverse community. We understand and appreciate the importance of Full Disclosure in the history and practice of security research.\n\nWe would *like* to know about high-severity bugs before they become public knowledge, so we can fix them in a timely manner, but **we do not believe in threatening researchers or trying to enforce vulnerability embargoes**.\n\nUltimately, if you discover a security-affecting vulnerability, what you do with it is your choice. We would like to work with people, and to celebrate and reward their skill, experience, and dedication. We appreciate being informed of our mistakes so we can learn from them and build a better product. Our goal is to empower the community.\n\n### Where to Send Security Vulnerabilities\n\nFeel free to submit them via HackerOne, or email them to our security team directly (`security@paragonie.com`). Also feel free to open a new issue on Github if you want to disclose publicly.\n\n```\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: GnuPG\n\nmQENBFUgwRUBCADcIpqNwyYc5UmY/tpx1sF/rQ3knR1YNXYZThzFV+Gmqhp1fDH5\nqBs9foh1xwI6O7knWmQngnf/nBumI3x6xj7PuOdEZUh2FwCG/VWnglW8rKmoHzHA\nivjiu9SLnPIPAgHSHeh2XD7q3Ndm3nenbjAiRFNl2iXcwA2cTQp9Mmfw9vVcw0G0\nz1o0G3s8cC8ZS6flFySIervvfSRWj7A1acI5eE3+AH/qXJRdEJ+9J8OB65p1JMfk\n6+fWgOB1XZxMpz70S0rW6IX38WDSRhEK2fXyZJAJjyt+YGuzjZySNSoQR/V6vNYn\nsyrNPCJ2i5CgZQxAkyBBcr7koV9RIhPRzct/ABEBAAG0IVNlY3VyaXR5IDxzZWN1\ncml0eUBwYXJhZ29uaWUuY29tPokBOQQTAQIAIwUCVSDBFQIbAwcLCQgHAwIBBhUI\nAgkKCwQWAgMBAh4BAheAAAoJEGuXocKCZATat2YIAIoejNFEQ2c1iaOEtSuB7Pn/\nWLbsDsHNLDKOV+UnfaCjv/vL7D+5NMChFCi2frde/NQb2TsjqmIH+V+XbnJtlrXD\nVj7yvMVal+Jqjwj7v4eOEWcKVcFZk+9cfUgh7t92T2BMX58RpgZF0IQZ6Z1R3FfC\n9Ub4X6ykW+te1q0/4CoRycniwmlQi6iGSr99LQ5pfJq2Qlmz/luTZ0UX0h575T7d\ncp2T1sX/zFRk/fHeANWSksipdDBjAXR7NMnYZgw2HghEdFk/xRDY7K1NRWNZBf05\nWrMHmh6AIVJiWZvI175URxEe268hh+wThBhXQHMhFNJM1qPIuzb4WogxM3UUD7m5\nAQ0EVSDBFQEIALNkpzSuJsHAHh79sc0AYWztdUe2MzyofQbbOnOCpWZebYsC3EXU\n335fIg59k0m6f+O7GmEZzzIv5v0i99GS1R8CJm6FvhGqtH8ZqmOGbc71WdJSiNVE\n0kpQoJlVzRbig6ZyyjzrggbM1eh5OXOk5pw4+23FFEdw7JWU0HJS2o71r1hwp05Z\nvy21kcUEobz/WWQQyGS0Neo7PJn+9KS6wOxXul/UE0jct/5f7KLMdWMJ1VgniQmm\nhjvkHLPSICteqCI04RfcmMseW9gueHQXeUu1SNIvsWa2MhxjeBej3pDnrZWszKwy\ngF45GO9/v4tkIXNMy5J1AtOyRgQ3IUMqp8EAEQEAAYkBHwQYAQIACQUCVSDBFQIb\nDAAKCRBrl6HCgmQE2jnIB/4/xFz8InpM7eybnBOAir3uGcYfs3DOmaKn7qWVtGzv\nrKpQPYnVtlU2i6Z5UO4c4jDLT/8Xm1UDz3Lxvqt4xCaDwJvBZexU5BMK8l5DvOzH\n6o6P2L1UDu6BvmPXpVZz7/qUhOnyf8VQg/dAtYF4/ax19giNUpI5j5o5mX5w80Rx\nqSXV9NdSL4fdjeG1g/xXv2luhoV53T1bsycI3wjk/x5tV+M2KVhZBvvuOm/zhJje\noLWp0saaESkGXIXqurj6gZoujJvSvzl0n9F9VwqMEizDUfrXgtD1siQGhP0sVC6q\nha+F/SAEJ0jEquM4TfKWWU2S5V5vgPPpIQSYRnhQW4b1\n=xJPW\n-----END PGP PUBLIC KEY BLOCK-----\n```\n\n### We Will Reward Security Researchers\n\nIf you report a valid security-affecting bug, we will compensate you for the time spent finding the vulnerability and reward you for being a good neighbor.\n\nCompensation will typically fall under these two categories:\n\n* Critical (Remote Code Execution, Catastrophic Cryptography Failure): $200+\n* Anything else: $1 to $199\n* Invalid bugs reports: Nothing\n\nNote that we reserve the right to be overwhelmingly generous on a case-by-case basis. ;)\n\n#### What does a \"valid\" bug mean?\n\nThere are two sides to this:\n\n1. Some have spammed projects with invalid bug reports hoping to collect bounties for pressing a button and running an automated analysis tool. This is not cool.\n2. There is a potential for the developers of a project to declare all security bug reports as invalid to save money.\n\nOur team members have an established history of reporting vulnerabilities to large open source projects. **We aren't in the business of ripping people off.** When in doubt, our policy is to err on the side of generosity.\n\n## Scope\n\nWe're only interested in the *source* repositories in the [ParagonIE](https://github.com/paragonie) organization on Github that have at least seen a version `1.0.0` stable release, not any repositories we forked (which we usually only do when fixing a security vulnerability in the upstream repository). We're not interest in third-party integration settings (i.e. Dockerfiles or .travis.yml).\n\nWe're not interested in trivial problems with our website (e.g. \"missing SPF headers\").\n\nBugs that require a specific user agent (i.e. they only affect Internet Explorer), browser extension, ActiveX plugin, etc. will be promptly fixed, should a mitigation exist, but we are not going to pay a bounty for a bug introduced by software we don't control.\n\n### Please do *not* submit any of the following:\n\n* Any non-critical security concerns with our domain name and/or website\n* Very minor security concerns with alpha software (anything for which the latest release is not at least `1.0.0`)\n\n## No Proof-of-Concept Required\n\nWe might ask for one if we feel we do not understand some of the details pertaining to a specific vulnerability. We certainly appreciate them if you include them in your report, but we believe **the burden lies with the developer to prove their software *is* secure** rather than with the researcher to prove that it isn't.\n\nIn our experience, most bugs are simpler to fix than they are to exploit.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-11-10T00:35:05.589Z"},{"id":3056609,"new_policy":"# An Invitation to Security Researchers\n\nEvery company says they take security \"very seriously.\" Rather than bore anyone with banal boilerplate, here are some quick answers followed by detailed elaboration. If you have any questions about our policies, please email them to `scott@paragonie.com`.\n\n## We Practice Full Disclosure\n\nAny reports (valid or invalid) will be disclosed fully as soon as possible. This is a good security practice that we encourage more programs to adopt.\n\n## Quick Answers\n\n* There is no compulsion to disclose vulnerabilities privately, but we appreciate a head's up.\n* `security@paragonie.com` will get your reports to the right person. Our GPG  fingerprint, should you decide to encrypt your report, is `7F52 D5C6 1D12 55C7 3136  2E82 6B97 A1C2 8264 04DA`.\n* **YES**, we will reward security researchers who disclose vulnerabilities in our software.\n* In most cases, **No Proof-of-Concept Required.**\n* Please focus on the source repositories in our Github organization, **not our website** or any forks of other peoples' projects.\n* Unless it results in code execution, we're not interested in bugs with our website.\n\n## How to Report a Security Bug to Paragon Initiative Enterprises\n\n### There is no compulsion to disclose privately.\n\nWe believe vulnerability disclosure style is a personal choice and enjoy working with a diverse community. We understand and appreciate the importance of Full Disclosure in the history and practice of security research.\n\nWe would *like* to know about high-severity bugs before they become public knowledge, so we can fix them in a timely manner, but **we do not believe in threatening researchers or trying to enforce vulnerability embargoes**.\n\nUltimately, if you discover a security-affecting vulnerability, what you do with it is your choice. We would like to work with people, and to celebrate and reward their skill, experience, and dedication. We appreciate being informed of our mistakes so we can learn from them and build a better product. Our goal is to empower the community.\n\n### Where to Send Security Vulnerabilities\n\nFeel free to submit them via HackerOne, or email them to our security team directly (`security@paragonie.com`). Also feel free to open a new issue on Github if you want to disclose publicly.\n\n```\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: GnuPG\n\nmQENBFUgwRUBCADcIpqNwyYc5UmY/tpx1sF/rQ3knR1YNXYZThzFV+Gmqhp1fDH5\nqBs9foh1xwI6O7knWmQngnf/nBumI3x6xj7PuOdEZUh2FwCG/VWnglW8rKmoHzHA\nivjiu9SLnPIPAgHSHeh2XD7q3Ndm3nenbjAiRFNl2iXcwA2cTQp9Mmfw9vVcw0G0\nz1o0G3s8cC8ZS6flFySIervvfSRWj7A1acI5eE3+AH/qXJRdEJ+9J8OB65p1JMfk\n6+fWgOB1XZxMpz70S0rW6IX38WDSRhEK2fXyZJAJjyt+YGuzjZySNSoQR/V6vNYn\nsyrNPCJ2i5CgZQxAkyBBcr7koV9RIhPRzct/ABEBAAG0IVNlY3VyaXR5IDxzZWN1\ncml0eUBwYXJhZ29uaWUuY29tPokBOQQTAQIAIwUCVSDBFQIbAwcLCQgHAwIBBhUI\nAgkKCwQWAgMBAh4BAheAAAoJEGuXocKCZATat2YIAIoejNFEQ2c1iaOEtSuB7Pn/\nWLbsDsHNLDKOV+UnfaCjv/vL7D+5NMChFCi2frde/NQb2TsjqmIH+V+XbnJtlrXD\nVj7yvMVal+Jqjwj7v4eOEWcKVcFZk+9cfUgh7t92T2BMX58RpgZF0IQZ6Z1R3FfC\n9Ub4X6ykW+te1q0/4CoRycniwmlQi6iGSr99LQ5pfJq2Qlmz/luTZ0UX0h575T7d\ncp2T1sX/zFRk/fHeANWSksipdDBjAXR7NMnYZgw2HghEdFk/xRDY7K1NRWNZBf05\nWrMHmh6AIVJiWZvI175URxEe268hh+wThBhXQHMhFNJM1qPIuzb4WogxM3UUD7m5\nAQ0EVSDBFQEIALNkpzSuJsHAHh79sc0AYWztdUe2MzyofQbbOnOCpWZebYsC3EXU\n335fIg59k0m6f+O7GmEZzzIv5v0i99GS1R8CJm6FvhGqtH8ZqmOGbc71WdJSiNVE\n0kpQoJlVzRbig6ZyyjzrggbM1eh5OXOk5pw4+23FFEdw7JWU0HJS2o71r1hwp05Z\nvy21kcUEobz/WWQQyGS0Neo7PJn+9KS6wOxXul/UE0jct/5f7KLMdWMJ1VgniQmm\nhjvkHLPSICteqCI04RfcmMseW9gueHQXeUu1SNIvsWa2MhxjeBej3pDnrZWszKwy\ngF45GO9/v4tkIXNMy5J1AtOyRgQ3IUMqp8EAEQEAAYkBHwQYAQIACQUCVSDBFQIb\nDAAKCRBrl6HCgmQE2jnIB/4/xFz8InpM7eybnBOAir3uGcYfs3DOmaKn7qWVtGzv\nrKpQPYnVtlU2i6Z5UO4c4jDLT/8Xm1UDz3Lxvqt4xCaDwJvBZexU5BMK8l5DvOzH\n6o6P2L1UDu6BvmPXpVZz7/qUhOnyf8VQg/dAtYF4/ax19giNUpI5j5o5mX5w80Rx\nqSXV9NdSL4fdjeG1g/xXv2luhoV53T1bsycI3wjk/x5tV+M2KVhZBvvuOm/zhJje\noLWp0saaESkGXIXqurj6gZoujJvSvzl0n9F9VwqMEizDUfrXgtD1siQGhP0sVC6q\nha+F/SAEJ0jEquM4TfKWWU2S5V5vgPPpIQSYRnhQW4b1\n=xJPW\n-----END PGP PUBLIC KEY BLOCK-----\n```\n\n### We Will Reward Security Researchers\n\nIf you report a valid security-affecting bug, we will compensate you for the time spent finding the vulnerability and reward you for being a good neighbor.\n\nCompensation will typically fall under these two categories:\n\n* Critical (Remote Code Execution, Catastrophic Cryptography Failure): $200+\n* Anything else: $1 to $199\n* Invalid bugs reports: Nothing\n\nNote that we reserve the right to be overwhelmingly generous on a case-by-case basis. ;)\n\n#### What does a \"valid\" bug mean?\n\nThere are two sides to this:\n\n1. Some have spammed projects with invalid bug reports hoping to collect bounties for pressing a button and running an automated analysis tool. This is not cool.\n2. There is a potential for the developers of a project to declare all security bug reports as invalid to save money.\n\nOur team members have an established history of reporting vulnerabilities to large open source projects. **We aren't in the business of ripping people off.** When in doubt, our policy is to err on the side of generosity.\n\n## Scope\n\nWe're only interested in the *source* repositories in the [ParagonIE](https://github.com/paragonie) organization on Github that have at least seen a version `1.0.0` stable release, not any repositories we forked (which we usually only do when fixing a security vulnerability in the upstream repository).\n\nWe're not interested in trivial problems with our website (e.g. \"missing SPF headers\").\n\nBugs that require a specific user agent (i.e. they only affect Internet Explorer), browser extension, ActiveX plugin, etc. will be promptly fixed, should a mitigation exist, but we are not going to pay a bounty for a bug introduced by software we don't control.\n\n### Please do *not* submit any of the following:\n\n* Any non-critical security concerns with our domain name and/or website\n* Very minor security concerns with alpha software (anything for which the latest release is not at least `1.0.0`)\n\n## No Proof-of-Concept Required\n\nWe might ask for one if we feel we do not understand some of the details pertaining to a specific vulnerability. We certainly appreciate them if you include them in your report, but we believe **the burden lies with the developer to prove their software *is* secure** rather than with the researcher to prove that it isn't.\n\nIn our experience, most bugs are simpler to fix than they are to exploit.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-07-14T03:55:35.749Z"},{"id":3010138,"new_policy":"# An Invitation to Security Researchers\n\nEvery company says they take security \"very seriously.\" Rather than bore anyone with banal boilerplate, here are some quick answers followed by detailed elaboration. If you have any questions about our policies, please email them to `scott@paragonie.com`.\n\n## We Practice Full Disclosure\n\nAny reports (valid or invalid) will be disclosed fully as soon as possible. This is a good security practice that we encourage more programs to adopt.\n\n## Quick Answers\n\n* There is no compulsion to disclose vulnerabilities privately, but we appreciate a head's up.\n* `security@paragonie.com` will get your reports to the right person. Our GPG  fingerprint, should you decide to encrypt your report, is `7F52 D5C6 1D12 55C7 3136  2E82 6B97 A1C2 8264 04DA`.\n* **YES**, we will reward security researchers who disclose vulnerabilities in our software.\n* In most cases, **No Proof-of-Concept Required.**\n* Please focus on the source repositories in our Github organization, **not our website** or any forks of other peoples' projects.\n* Unless it results in code execution, we're not interested in bugs with our website.\n\n## How to Report a Security Bug to Paragon Initiative Enterprises\n\n### There is no compulsion to disclose privately.\n\nWe believe vulnerability disclosure style is a personal choice and enjoy working with a diverse community. We understand and appreciate the importance of Full Disclosure in the history and practice of security research.\n\nWe would *like* to know about high-severity bugs before they become public knowledge, so we can fix them in a timely manner, but **we do not believe in threatening researchers or trying to enforce vulnerability embargoes**.\n\nUltimately, if you discover a security-affecting vulnerability, what you do with it is your choice. We would like to work with people, and to celebrate and reward their skill, experience, and dedication. We appreciate being informed of our mistakes so we can learn from them and build a better product. Our goal is to empower the community.\n\n### Where to Send Security Vulnerabilities\n\nFeel free to submit them via HackerOne, or email them to our security team directly (`security@paragonie.com`). Also feel free to open a new issue on Github if you want to disclose publicly.\n\n```\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: GnuPG\n\nmQENBFUgwRUBCADcIpqNwyYc5UmY/tpx1sF/rQ3knR1YNXYZThzFV+Gmqhp1fDH5\nqBs9foh1xwI6O7knWmQngnf/nBumI3x6xj7PuOdEZUh2FwCG/VWnglW8rKmoHzHA\nivjiu9SLnPIPAgHSHeh2XD7q3Ndm3nenbjAiRFNl2iXcwA2cTQp9Mmfw9vVcw0G0\nz1o0G3s8cC8ZS6flFySIervvfSRWj7A1acI5eE3+AH/qXJRdEJ+9J8OB65p1JMfk\n6+fWgOB1XZxMpz70S0rW6IX38WDSRhEK2fXyZJAJjyt+YGuzjZySNSoQR/V6vNYn\nsyrNPCJ2i5CgZQxAkyBBcr7koV9RIhPRzct/ABEBAAG0IVNlY3VyaXR5IDxzZWN1\ncml0eUBwYXJhZ29uaWUuY29tPokBOQQTAQIAIwUCVSDBFQIbAwcLCQgHAwIBBhUI\nAgkKCwQWAgMBAh4BAheAAAoJEGuXocKCZATat2YIAIoejNFEQ2c1iaOEtSuB7Pn/\nWLbsDsHNLDKOV+UnfaCjv/vL7D+5NMChFCi2frde/NQb2TsjqmIH+V+XbnJtlrXD\nVj7yvMVal+Jqjwj7v4eOEWcKVcFZk+9cfUgh7t92T2BMX58RpgZF0IQZ6Z1R3FfC\n9Ub4X6ykW+te1q0/4CoRycniwmlQi6iGSr99LQ5pfJq2Qlmz/luTZ0UX0h575T7d\ncp2T1sX/zFRk/fHeANWSksipdDBjAXR7NMnYZgw2HghEdFk/xRDY7K1NRWNZBf05\nWrMHmh6AIVJiWZvI175URxEe268hh+wThBhXQHMhFNJM1qPIuzb4WogxM3UUD7m5\nAQ0EVSDBFQEIALNkpzSuJsHAHh79sc0AYWztdUe2MzyofQbbOnOCpWZebYsC3EXU\n335fIg59k0m6f+O7GmEZzzIv5v0i99GS1R8CJm6FvhGqtH8ZqmOGbc71WdJSiNVE\n0kpQoJlVzRbig6ZyyjzrggbM1eh5OXOk5pw4+23FFEdw7JWU0HJS2o71r1hwp05Z\nvy21kcUEobz/WWQQyGS0Neo7PJn+9KS6wOxXul/UE0jct/5f7KLMdWMJ1VgniQmm\nhjvkHLPSICteqCI04RfcmMseW9gueHQXeUu1SNIvsWa2MhxjeBej3pDnrZWszKwy\ngF45GO9/v4tkIXNMy5J1AtOyRgQ3IUMqp8EAEQEAAYkBHwQYAQIACQUCVSDBFQIb\nDAAKCRBrl6HCgmQE2jnIB/4/xFz8InpM7eybnBOAir3uGcYfs3DOmaKn7qWVtGzv\nrKpQPYnVtlU2i6Z5UO4c4jDLT/8Xm1UDz3Lxvqt4xCaDwJvBZexU5BMK8l5DvOzH\n6o6P2L1UDu6BvmPXpVZz7/qUhOnyf8VQg/dAtYF4/ax19giNUpI5j5o5mX5w80Rx\nqSXV9NdSL4fdjeG1g/xXv2luhoV53T1bsycI3wjk/x5tV+M2KVhZBvvuOm/zhJje\noLWp0saaESkGXIXqurj6gZoujJvSvzl0n9F9VwqMEizDUfrXgtD1siQGhP0sVC6q\nha+F/SAEJ0jEquM4TfKWWU2S5V5vgPPpIQSYRnhQW4b1\n=xJPW\n-----END PGP PUBLIC KEY BLOCK-----\n```\n\n### We Will Reward Security Researchers\n\nIf you report a valid security-affecting bug, we will compensate you for the time spent finding the vulnerability and reward you for being a good neighbor.\n\nCompensation will typically fall under these two categories:\n\n* Critical (Remote Code Execution, Catastrophic Cryptography Failure): $200+\n* Anything else: $1 to $199\n* Invalid bugs reports: Nothing\n\nNote that we reserve the right to be overwhelmingly generous on a case-by-case basis. ;)\n\n#### What does a \"valid\" bug mean?\n\nThere are two sides to this:\n\n1. Some have spammed projects with invalid bug reports hoping to collect bounties for pressing a button and running an automated analysis tool. This is not cool.\n2. There is a potential for the developers of a project to declare all security bug reports as invalid to save money.\n\nOur team members have an established history of reporting vulnerabilities to large open source projects. **We aren't in the business of ripping people off.** When in doubt, our policy is to err on the side of generosity.\n\n## Scope\n\nWe're only interested in the *source* repositories in the [ParagonIE](https://github.com/paragonie) organization on Github that have at least seen a version `1.0.0` stable release, not any repositories we forked (which we usually only do when fixing a security vulnerability in the upstream repository).\n\nWe're not interested in trivial problems with our website (e.g. \"missing SPF headers\").\n\n### Please do *not* submit any of the following:\n\n* Any non-critical security concerns with our domain name and/or website\n* Very minor security concerns with alpha software (anything for which the latest release is not at least `1.0.0`)\n\n## No Proof-of-Concept Required\n\nWe might ask for one if we feel we do not understand some of the details pertaining to a specific vulnerability. We certainly appreciate them if you include them in your report, but we believe **the burden lies with the developer to prove their software *is* secure** rather than with the researcher to prove that it isn't.\n\nIn our experience, most bugs are simpler to fix than they are to exploit.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-07-06T01:08:17.381Z"},{"id":3009470,"new_policy":"# An Invitation to Security Researchers\n\nEvery company says they take security \"very seriously.\" Rather than bore anyone with banal boilerplate, here are some quick answers followed by detailed elaboration. If you have any questions about our policies, please email them to `scott@paragonie.com`.\n\n## Quick Answers\n\n* There is no compulsion to disclose vulnerabilities privately, but we appreciate a head's up.\n* `security@paragonie.com` will get your reports to the right person. Our GPG  fingerprint, should you decide to encrypt your report, is `7F52 D5C6 1D12 55C7 3136  2E82 6B97 A1C2 8264 04DA`.\n* **YES**, we will reward security researchers who disclose vulnerabilities in our software.\n* In most cases, **No Proof-of-Concept Required.**\n* Please focus on the source repositories in our Github organization, **not our website** or any forks of other peoples' projects.\n* Unless it results in code execution, we're not interested in bugs with our website.\n\n## How to Report a Security Bug to Paragon Initiative Enterprises\n\n### There is no compulsion to disclose privately.\n\nWe believe vulnerability disclosure style is a personal choice and enjoy working with a diverse community. We understand and appreciate the importance of Full Disclosure in the history and practice of security research.\n\nWe would *like* to know about high-severity bugs before they become public knowledge, so we can fix them in a timely manner, but **we do not believe in threatening researchers or trying to enforce vulnerability embargoes**.\n\nUltimately, if you discover a security-affecting vulnerability, what you do with it is your choice. We would like to work with people, and to celebrate and reward their skill, experience, and dedication. We appreciate being informed of our mistakes so we can learn from them and build a better product. Our goal is to empower the community.\n\n### Where to Send Security Vulnerabilities\n\nFeel free to submit them via HackerOne, or email them to our security team directly (`security@paragonie.com`). Also feel free to open a new issue on Github if you want to disclose publicly.\n\n```\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: GnuPG\n\nmQENBFUgwRUBCADcIpqNwyYc5UmY/tpx1sF/rQ3knR1YNXYZThzFV+Gmqhp1fDH5\nqBs9foh1xwI6O7knWmQngnf/nBumI3x6xj7PuOdEZUh2FwCG/VWnglW8rKmoHzHA\nivjiu9SLnPIPAgHSHeh2XD7q3Ndm3nenbjAiRFNl2iXcwA2cTQp9Mmfw9vVcw0G0\nz1o0G3s8cC8ZS6flFySIervvfSRWj7A1acI5eE3+AH/qXJRdEJ+9J8OB65p1JMfk\n6+fWgOB1XZxMpz70S0rW6IX38WDSRhEK2fXyZJAJjyt+YGuzjZySNSoQR/V6vNYn\nsyrNPCJ2i5CgZQxAkyBBcr7koV9RIhPRzct/ABEBAAG0IVNlY3VyaXR5IDxzZWN1\ncml0eUBwYXJhZ29uaWUuY29tPokBOQQTAQIAIwUCVSDBFQIbAwcLCQgHAwIBBhUI\nAgkKCwQWAgMBAh4BAheAAAoJEGuXocKCZATat2YIAIoejNFEQ2c1iaOEtSuB7Pn/\nWLbsDsHNLDKOV+UnfaCjv/vL7D+5NMChFCi2frde/NQb2TsjqmIH+V+XbnJtlrXD\nVj7yvMVal+Jqjwj7v4eOEWcKVcFZk+9cfUgh7t92T2BMX58RpgZF0IQZ6Z1R3FfC\n9Ub4X6ykW+te1q0/4CoRycniwmlQi6iGSr99LQ5pfJq2Qlmz/luTZ0UX0h575T7d\ncp2T1sX/zFRk/fHeANWSksipdDBjAXR7NMnYZgw2HghEdFk/xRDY7K1NRWNZBf05\nWrMHmh6AIVJiWZvI175URxEe268hh+wThBhXQHMhFNJM1qPIuzb4WogxM3UUD7m5\nAQ0EVSDBFQEIALNkpzSuJsHAHh79sc0AYWztdUe2MzyofQbbOnOCpWZebYsC3EXU\n335fIg59k0m6f+O7GmEZzzIv5v0i99GS1R8CJm6FvhGqtH8ZqmOGbc71WdJSiNVE\n0kpQoJlVzRbig6ZyyjzrggbM1eh5OXOk5pw4+23FFEdw7JWU0HJS2o71r1hwp05Z\nvy21kcUEobz/WWQQyGS0Neo7PJn+9KS6wOxXul/UE0jct/5f7KLMdWMJ1VgniQmm\nhjvkHLPSICteqCI04RfcmMseW9gueHQXeUu1SNIvsWa2MhxjeBej3pDnrZWszKwy\ngF45GO9/v4tkIXNMy5J1AtOyRgQ3IUMqp8EAEQEAAYkBHwQYAQIACQUCVSDBFQIb\nDAAKCRBrl6HCgmQE2jnIB/4/xFz8InpM7eybnBOAir3uGcYfs3DOmaKn7qWVtGzv\nrKpQPYnVtlU2i6Z5UO4c4jDLT/8Xm1UDz3Lxvqt4xCaDwJvBZexU5BMK8l5DvOzH\n6o6P2L1UDu6BvmPXpVZz7/qUhOnyf8VQg/dAtYF4/ax19giNUpI5j5o5mX5w80Rx\nqSXV9NdSL4fdjeG1g/xXv2luhoV53T1bsycI3wjk/x5tV+M2KVhZBvvuOm/zhJje\noLWp0saaESkGXIXqurj6gZoujJvSvzl0n9F9VwqMEizDUfrXgtD1siQGhP0sVC6q\nha+F/SAEJ0jEquM4TfKWWU2S5V5vgPPpIQSYRnhQW4b1\n=xJPW\n-----END PGP PUBLIC KEY BLOCK-----\n```\n\n### We Will Reward Security Researchers\n\nIf you report a valid security-affecting bug, we will compensate you for the time spent finding the vulnerability and reward you for being a good neighbor.\n\nCompensation will typically fall under these two categories:\n\n* Critical (Remote Code Execution, Catastrophic Cryptography Failure): $200+\n* Anything else: $1 to $199\n* Invalid bugs reports: Nothing\n\nNote that we reserve the right to be overwhelmingly generous on a case-by-case basis. ;)\n\n#### What does a \"valid\" bug mean?\n\nThere are two sides to this:\n\n1. Some have spammed projects with invalid bug reports hoping to collect bounties for pressing a button and running an automated analysis tool. This is not cool.\n2. There is a potential for the developers of a project to declare all security bug reports as invalid to save money.\n\nOur team members have an established history of reporting vulnerabilities to large open source projects. **We aren't in the business of ripping people off.** When in doubt, our policy is to err on the side of generosity.\n\n## Scope\n\nWe're only interested in the *source* repositories in the [ParagonIE](https://github.com/paragonie) organization on Github that have at least seen a version `1.0.0` stable release, not any repositories we forked (which we usually only do when fixing a security vulnerability in the upstream repository).\n\nWe're not interested in trivial problems with our website (e.g. \"missing SPF headers\").\n\n### Please do *not* submit any of the following:\n\n* Any non-critical security concerns with our domain name and/or website\n* Very minor security concerns with alpha software (anything for which the latest release is not at least `1.0.0`)\n\n## No Proof-of-Concept Required\n\nWe might ask for one if we feel we do not understand some of the details pertaining to a specific vulnerability. We certainly appreciate them if you include them in your report, but we believe **the burden lies with the developer to prove their software *is* secure** rather than with the researcher to prove that it isn't.\n\nIn our experience, most bugs are simpler to fix than they are to exploit.\n\n## We Practice Full Disclosure\n\nAny reports (valid or invalid) will be disclosed fully as soon as possible. This is a good security practice that we encourage more programs to adopt.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-07-05T21:56:21.783Z"},{"id":2964329,"new_policy":"# An Invitation to Security Researchers\n\nEvery company says they take security \"very seriously.\" Rather than bore anyone with banal boilerplate, here are some quick answers followed by detailed elaboration. If you have any questions about our policies, please email them to `scott@paragonie.com`.\n\n## Quick Answers\n\n* There is no compulsion to disclose vulnerabilities privately, but we appreciate a head's up.\n* `security@paragonie.com` will get your reports to the right person. Our GPG  fingerprint, should you decide to encrypt your report, is `7F52 D5C6 1D12 55C7 3136  2E82 6B97 A1C2 8264 04DA`.\n* **YES**, we will reward security researchers who disclose vulnerabilities in our software.\n* In most cases, **No Proof-of-Concept Required.**\n* Please focus on the source repositories in our Github organization, **not our website** or any forks of other peoples' projects.\n* Unless it results in code execution, we're not interested in bugs with our website.\n\n## How to Report a Security Bug to Paragon Initiative Enterprises\n\n### There is no compulsion to disclose privately.\n\nWe believe vulnerability disclosure style is a personal choice and enjoy working with a diverse community. We understand and appreciate the importance of Full Disclosure in the history and practice of security research.\n\nWe would *like* to know about high-severity bugs before they become public knowledge, so we can fix them in a timely manner, but **we do not believe in threatening researchers or trying to enforce vulnerability embargoes**.\n\nUltimately, if you discover a security-affecting vulnerability, what you do with it is your choice. We would like to work with people, and to celebrate and reward their skill, experience, and dedication. We appreciate being informed of our mistakes so we can learn from them and build a better product. Our goal is to empower the community.\n\n### Where to Send Security Vulnerabilities\n\nFeel free to submit them via HackerOne, or email them to our security team directly (`security@paragonie.com`). Also feel free to open a new issue on Github if you want to disclose publicly.\n\n```\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: GnuPG\n\nmQENBFUgwRUBCADcIpqNwyYc5UmY/tpx1sF/rQ3knR1YNXYZThzFV+Gmqhp1fDH5\nqBs9foh1xwI6O7knWmQngnf/nBumI3x6xj7PuOdEZUh2FwCG/VWnglW8rKmoHzHA\nivjiu9SLnPIPAgHSHeh2XD7q3Ndm3nenbjAiRFNl2iXcwA2cTQp9Mmfw9vVcw0G0\nz1o0G3s8cC8ZS6flFySIervvfSRWj7A1acI5eE3+AH/qXJRdEJ+9J8OB65p1JMfk\n6+fWgOB1XZxMpz70S0rW6IX38WDSRhEK2fXyZJAJjyt+YGuzjZySNSoQR/V6vNYn\nsyrNPCJ2i5CgZQxAkyBBcr7koV9RIhPRzct/ABEBAAG0IVNlY3VyaXR5IDxzZWN1\ncml0eUBwYXJhZ29uaWUuY29tPokBOQQTAQIAIwUCVSDBFQIbAwcLCQgHAwIBBhUI\nAgkKCwQWAgMBAh4BAheAAAoJEGuXocKCZATat2YIAIoejNFEQ2c1iaOEtSuB7Pn/\nWLbsDsHNLDKOV+UnfaCjv/vL7D+5NMChFCi2frde/NQb2TsjqmIH+V+XbnJtlrXD\nVj7yvMVal+Jqjwj7v4eOEWcKVcFZk+9cfUgh7t92T2BMX58RpgZF0IQZ6Z1R3FfC\n9Ub4X6ykW+te1q0/4CoRycniwmlQi6iGSr99LQ5pfJq2Qlmz/luTZ0UX0h575T7d\ncp2T1sX/zFRk/fHeANWSksipdDBjAXR7NMnYZgw2HghEdFk/xRDY7K1NRWNZBf05\nWrMHmh6AIVJiWZvI175URxEe268hh+wThBhXQHMhFNJM1qPIuzb4WogxM3UUD7m5\nAQ0EVSDBFQEIALNkpzSuJsHAHh79sc0AYWztdUe2MzyofQbbOnOCpWZebYsC3EXU\n335fIg59k0m6f+O7GmEZzzIv5v0i99GS1R8CJm6FvhGqtH8ZqmOGbc71WdJSiNVE\n0kpQoJlVzRbig6ZyyjzrggbM1eh5OXOk5pw4+23FFEdw7JWU0HJS2o71r1hwp05Z\nvy21kcUEobz/WWQQyGS0Neo7PJn+9KS6wOxXul/UE0jct/5f7KLMdWMJ1VgniQmm\nhjvkHLPSICteqCI04RfcmMseW9gueHQXeUu1SNIvsWa2MhxjeBej3pDnrZWszKwy\ngF45GO9/v4tkIXNMy5J1AtOyRgQ3IUMqp8EAEQEAAYkBHwQYAQIACQUCVSDBFQIb\nDAAKCRBrl6HCgmQE2jnIB/4/xFz8InpM7eybnBOAir3uGcYfs3DOmaKn7qWVtGzv\nrKpQPYnVtlU2i6Z5UO4c4jDLT/8Xm1UDz3Lxvqt4xCaDwJvBZexU5BMK8l5DvOzH\n6o6P2L1UDu6BvmPXpVZz7/qUhOnyf8VQg/dAtYF4/ax19giNUpI5j5o5mX5w80Rx\nqSXV9NdSL4fdjeG1g/xXv2luhoV53T1bsycI3wjk/x5tV+M2KVhZBvvuOm/zhJje\noLWp0saaESkGXIXqurj6gZoujJvSvzl0n9F9VwqMEizDUfrXgtD1siQGhP0sVC6q\nha+F/SAEJ0jEquM4TfKWWU2S5V5vgPPpIQSYRnhQW4b1\n=xJPW\n-----END PGP PUBLIC KEY BLOCK-----\n```\n\n### We Will Reward Security Researchers\n\nIf you report a valid security-affecting bug, we will compensate you for the time spent finding the vulnerability and reward you for being a good neighbor.\n\nCompensation will typically fall under these two categories:\n\n* Critical (Remote Code Execution, Catastrophic Cryptography Failure): $200+\n* Anything else: $0 to $199\n* Invalid bugs reports: Nothing\n\nNote that we reserve the right to be overwhelmingly generous on a case-by-case basis. ;)\n\n#### What does a \"valid\" bug mean?\n\nThere are two sides to this:\n\n1. Some have spammed projects with invalid bug reports hoping to collect bounties for pressing a button and running an automated analysis tool. This is not cool.\n2. There is a potential for the developers of a project to declare all security bug reports as invalid to save money.\n\nOur team members have an established history of reporting vulnerabilities to large open source projects. **We aren't in the business of ripping people off.** When in doubt, our policy is to err on the side of generosity.\n\n## Scope\n\nWe're only interested in the *source* repositories in the [ParagonIE](https://github.com/paragonie) organization on Github that have at least seen a version `1.0.0` stable release, not any repositories we forked (which we usually only do when fixing a security vulnerability in the upstream repository).\n\nWe're not interested in trivial problems with our website (e.g. \"missing SPF headers\").\n\n### Please do *not* submit any of the following:\n\n* Any non-critical security concerns with our domain name and/or website\n* Very minor security concerns with alpha software (anything for which the latest release is not at least `1.0.0`)\n\n## No Proof-of-Concept Required\n\nWe might ask for one if we feel we do not understand some of the details pertaining to a specific vulnerability. We certainly appreciate them if you include them in your report, but we believe **the burden lies with the developer to prove their software *is* secure** rather than with the researcher to prove that it isn't.\n\nIn our experience, most bugs are simpler to fix than they are to exploit.\n\n## We Practice Full Disclosure\n\nAny reports (valid or invalid) will be disclosed fully as soon as possible. This is a good security practice that we encourage more programs to adopt.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-06-25T01:07:48.354Z"},{"id":2916795,"new_policy":"# An Invitation to Security Researchers\n\nEvery company says they take security \"very seriously.\" Rather than bore anyone with banal boilerplate, here are some quick answers followed by detailed elaboration. If you have any questions about our policies, please email them to `scott@paragonie.com`.\n\n## Quick Answers\n\n* There is no compulsion to disclose vulnerabilities privately, but we appreciate a head's up.\n* `security@paragonie.com` will get your reports to the right person. Our GPG  fingerprint, should you decide to encrypt your report, is `7F52 D5C6 1D12 55C7 3136  2E82 6B97 A1C2 8264 04DA`.\n* **YES**, we will reward security researchers who disclose vulnerabilities in our software.\n* In most cases, **No Proof-of-Concept Required.**\n* Please focus on the source repositories in our Github organization, **not our website** or any forks of other peoples' projects.\n* Unless it results in code execution, we're not interested in bugs with our website.\n\n## How to Report a Security Bug to Paragon Initiative Enterprises\n\n### There is no compulsion to disclose privately.\n\nWe believe vulnerability disclosure style is a personal choice and enjoy working with a diverse community. We understand and appreciate the importance of Full Disclosure in the history and practice of security research.\n\nWe would *like* to know about high-severity bugs before they become public knowledge, so we can fix them in a timely manner, but **we do not believe in threatening researchers or trying to enforce vulnerability embargoes**.\n\nUltimately, if you discover a security-affecting vulnerability, what you do with it is your choice. We would like to work with people, and to celebrate and reward their skill, experience, and dedication. We appreciate being informed of our mistakes so we can learn from them and build a better product. Our goal is to empower the community.\n\n### Where to Send Security Vulnerabilities\n\nFeel free to submit them via HackerOne, or email them to our security team directly (`security@paragonie.com`). Also feel free to open a new issue on Github if you want to disclose publicly.\n\n```\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: GnuPG\n\nmQENBFUgwRUBCADcIpqNwyYc5UmY/tpx1sF/rQ3knR1YNXYZThzFV+Gmqhp1fDH5\nqBs9foh1xwI6O7knWmQngnf/nBumI3x6xj7PuOdEZUh2FwCG/VWnglW8rKmoHzHA\nivjiu9SLnPIPAgHSHeh2XD7q3Ndm3nenbjAiRFNl2iXcwA2cTQp9Mmfw9vVcw0G0\nz1o0G3s8cC8ZS6flFySIervvfSRWj7A1acI5eE3+AH/qXJRdEJ+9J8OB65p1JMfk\n6+fWgOB1XZxMpz70S0rW6IX38WDSRhEK2fXyZJAJjyt+YGuzjZySNSoQR/V6vNYn\nsyrNPCJ2i5CgZQxAkyBBcr7koV9RIhPRzct/ABEBAAG0IVNlY3VyaXR5IDxzZWN1\ncml0eUBwYXJhZ29uaWUuY29tPokBOQQTAQIAIwUCVSDBFQIbAwcLCQgHAwIBBhUI\nAgkKCwQWAgMBAh4BAheAAAoJEGuXocKCZATat2YIAIoejNFEQ2c1iaOEtSuB7Pn/\nWLbsDsHNLDKOV+UnfaCjv/vL7D+5NMChFCi2frde/NQb2TsjqmIH+V+XbnJtlrXD\nVj7yvMVal+Jqjwj7v4eOEWcKVcFZk+9cfUgh7t92T2BMX58RpgZF0IQZ6Z1R3FfC\n9Ub4X6ykW+te1q0/4CoRycniwmlQi6iGSr99LQ5pfJq2Qlmz/luTZ0UX0h575T7d\ncp2T1sX/zFRk/fHeANWSksipdDBjAXR7NMnYZgw2HghEdFk/xRDY7K1NRWNZBf05\nWrMHmh6AIVJiWZvI175URxEe268hh+wThBhXQHMhFNJM1qPIuzb4WogxM3UUD7m5\nAQ0EVSDBFQEIALNkpzSuJsHAHh79sc0AYWztdUe2MzyofQbbOnOCpWZebYsC3EXU\n335fIg59k0m6f+O7GmEZzzIv5v0i99GS1R8CJm6FvhGqtH8ZqmOGbc71WdJSiNVE\n0kpQoJlVzRbig6ZyyjzrggbM1eh5OXOk5pw4+23FFEdw7JWU0HJS2o71r1hwp05Z\nvy21kcUEobz/WWQQyGS0Neo7PJn+9KS6wOxXul/UE0jct/5f7KLMdWMJ1VgniQmm\nhjvkHLPSICteqCI04RfcmMseW9gueHQXeUu1SNIvsWa2MhxjeBej3pDnrZWszKwy\ngF45GO9/v4tkIXNMy5J1AtOyRgQ3IUMqp8EAEQEAAYkBHwQYAQIACQUCVSDBFQIb\nDAAKCRBrl6HCgmQE2jnIB/4/xFz8InpM7eybnBOAir3uGcYfs3DOmaKn7qWVtGzv\nrKpQPYnVtlU2i6Z5UO4c4jDLT/8Xm1UDz3Lxvqt4xCaDwJvBZexU5BMK8l5DvOzH\n6o6P2L1UDu6BvmPXpVZz7/qUhOnyf8VQg/dAtYF4/ax19giNUpI5j5o5mX5w80Rx\nqSXV9NdSL4fdjeG1g/xXv2luhoV53T1bsycI3wjk/x5tV+M2KVhZBvvuOm/zhJje\noLWp0saaESkGXIXqurj6gZoujJvSvzl0n9F9VwqMEizDUfrXgtD1siQGhP0sVC6q\nha+F/SAEJ0jEquM4TfKWWU2S5V5vgPPpIQSYRnhQW4b1\n=xJPW\n-----END PGP PUBLIC KEY BLOCK-----\n```\n\n### We Will Reward Security Researchers\n\nIf you report a valid security-affecting bug, we will compensate you for the time spent finding the vulnerability and reward you for being a good neighbor.\n\nCompensation will typically fall under these two categories:\n\n* Critical (Remote Code Execution, Catastrophic Cryptography Failure): $200+\n* Anything else: $50 to $199\n* Invalid bugs reports: Nothing\n\nNote that we reserve the right to be overwhelmingly generous on a case-by-case basis. ;)\n\n#### What does a \"valid\" bug mean?\n\nThere are two sides to this:\n\n1. Some have spammed projects with invalid bug reports hoping to collect bounties for pressing a button and running an automated analysis tool. This is not cool.\n2. There is a potential for the developers of a project to declare all security bug reports as invalid to save money.\n\nOur team members have an established history of reporting vulnerabilities to large open source projects. **We aren't in the business of ripping people off.** When in doubt, our policy is to err on the side of generosity.\n\n## Scope\n\nWe're only interested in the *source* repositories in the [ParagonIE](https://github.com/paragonie) organization on Github that have at least seen a version `1.0.0` stable release, not any repositories we forked (which we usually only do when fixing a security vulnerability in the upstream repository).\n\nWe're not interested in trivial problems with our website (e.g. \"missing SPF headers\").\n\n### Please do *not* submit any of the following:\n\n* Any non-critical security concerns with our domain name and/or website\n* Very minor security concerns with alpha software (anything for which the latest release is not at least `1.0.0`)\n\n## No Proof-of-Concept Required\n\nWe might ask for one if we feel we do not understand some of the details pertaining to a specific vulnerability. We certainly appreciate them if you include them in your report, but we believe **the burden lies with the developer to prove their software *is* secure** rather than with the researcher to prove that it isn't.\n\nIn our experience, most bugs are simpler to fix than they are to exploit.\n\n## We Practice Full Disclosure\n\nAny reports (valid or invalid) will be disclosed fully as soon as possible. This is a good security practice that we encourage more programs to adopt.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-06-17T17:31:48.210Z"},{"id":2789059,"new_policy":"# An Invitation to Security Researchers\n\nEvery company says they take security \"very seriously.\" Rather than bore anyone with banal boilerplate, here are some quick answers followed by detailed elaboration. If you have any questions about our policies, please email them to `scott@paragonie.com`.\n\n## Quick Answers\n\n* There is no compulsion to disclose vulnerabilities privately, but we appreciate a head's up.\n* `security@paragonie.com` will get your reports to the right person. Our GPG  fingerprint, should you decide to encrypt your report, is `7F52 D5C6 1D12 55C7 3136  2E82 6B97 A1C2 8264 04DA`.\n* **YES**, we will reward security researchers who disclose vulnerabilities in our software.\n* In most cases, **No Proof-of-Concept Required.**\n* Please focus on the source repositories in our Github organization, **not our website** or any forks of other peoples' projects.\n* Unless it results in code execution, we're not interested in bugs with our website.\n\n## How to Report a Security Bug to Paragon Initiative Enterprises\n\n### There is no compulsion to disclose privately.\n\nWe believe vulnerability disclosure style is a personal choice and enjoy working with a diverse community. We understand and appreciate the importance of Full Disclosure in the history and practice of security research.\n\nWe would *like* to know about high-severity bugs before they become public knowledge, so we can fix them in a timely manner, but **we do not believe in threatening researchers or trying to enforce vulnerability embargoes**.\n\nUltimately, if you discover a security-affecting vulnerability, what you do with it is your choice. We would like to work with people, and to celebrate and reward their skill, experience, and dedication. We appreciate being informed of our mistakes so we can learn from them and build a better product. Our goal is to empower the community.\n\n### Where to Send Security Vulnerabilities\n\nFeel free to submit them via HackerOne, or email them to our security team directly (`security@paragonie.com`). Also feel free to open a new issue on Github if you want to disclose publicly.\n\n```\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: GnuPG\n\nmQENBFUgwRUBCADcIpqNwyYc5UmY/tpx1sF/rQ3knR1YNXYZThzFV+Gmqhp1fDH5\nqBs9foh1xwI6O7knWmQngnf/nBumI3x6xj7PuOdEZUh2FwCG/VWnglW8rKmoHzHA\nivjiu9SLnPIPAgHSHeh2XD7q3Ndm3nenbjAiRFNl2iXcwA2cTQp9Mmfw9vVcw0G0\nz1o0G3s8cC8ZS6flFySIervvfSRWj7A1acI5eE3+AH/qXJRdEJ+9J8OB65p1JMfk\n6+fWgOB1XZxMpz70S0rW6IX38WDSRhEK2fXyZJAJjyt+YGuzjZySNSoQR/V6vNYn\nsyrNPCJ2i5CgZQxAkyBBcr7koV9RIhPRzct/ABEBAAG0IVNlY3VyaXR5IDxzZWN1\ncml0eUBwYXJhZ29uaWUuY29tPokBOQQTAQIAIwUCVSDBFQIbAwcLCQgHAwIBBhUI\nAgkKCwQWAgMBAh4BAheAAAoJEGuXocKCZATat2YIAIoejNFEQ2c1iaOEtSuB7Pn/\nWLbsDsHNLDKOV+UnfaCjv/vL7D+5NMChFCi2frde/NQb2TsjqmIH+V+XbnJtlrXD\nVj7yvMVal+Jqjwj7v4eOEWcKVcFZk+9cfUgh7t92T2BMX58RpgZF0IQZ6Z1R3FfC\n9Ub4X6ykW+te1q0/4CoRycniwmlQi6iGSr99LQ5pfJq2Qlmz/luTZ0UX0h575T7d\ncp2T1sX/zFRk/fHeANWSksipdDBjAXR7NMnYZgw2HghEdFk/xRDY7K1NRWNZBf05\nWrMHmh6AIVJiWZvI175URxEe268hh+wThBhXQHMhFNJM1qPIuzb4WogxM3UUD7m5\nAQ0EVSDBFQEIALNkpzSuJsHAHh79sc0AYWztdUe2MzyofQbbOnOCpWZebYsC3EXU\n335fIg59k0m6f+O7GmEZzzIv5v0i99GS1R8CJm6FvhGqtH8ZqmOGbc71WdJSiNVE\n0kpQoJlVzRbig6ZyyjzrggbM1eh5OXOk5pw4+23FFEdw7JWU0HJS2o71r1hwp05Z\nvy21kcUEobz/WWQQyGS0Neo7PJn+9KS6wOxXul/UE0jct/5f7KLMdWMJ1VgniQmm\nhjvkHLPSICteqCI04RfcmMseW9gueHQXeUu1SNIvsWa2MhxjeBej3pDnrZWszKwy\ngF45GO9/v4tkIXNMy5J1AtOyRgQ3IUMqp8EAEQEAAYkBHwQYAQIACQUCVSDBFQIb\nDAAKCRBrl6HCgmQE2jnIB/4/xFz8InpM7eybnBOAir3uGcYfs3DOmaKn7qWVtGzv\nrKpQPYnVtlU2i6Z5UO4c4jDLT/8Xm1UDz3Lxvqt4xCaDwJvBZexU5BMK8l5DvOzH\n6o6P2L1UDu6BvmPXpVZz7/qUhOnyf8VQg/dAtYF4/ax19giNUpI5j5o5mX5w80Rx\nqSXV9NdSL4fdjeG1g/xXv2luhoV53T1bsycI3wjk/x5tV+M2KVhZBvvuOm/zhJje\noLWp0saaESkGXIXqurj6gZoujJvSvzl0n9F9VwqMEizDUfrXgtD1siQGhP0sVC6q\nha+F/SAEJ0jEquM4TfKWWU2S5V5vgPPpIQSYRnhQW4b1\n=xJPW\n-----END PGP PUBLIC KEY BLOCK-----\n```\n\n### We Will Reward Security Researchers\n\nIf you report a valid security-affecting bug, we will compensate you for the time spent finding the vulnerability and reward you for being a good neighbor.\n\nCompensation will typically fall under these two categories:\n\n* Critical (Remote Code Execution, Catastrophic Cryptography Failure): $200+\n* Anything else: $50 to $199\n* Invalid bugs reports: Nothing\n\nNote that we reserve the right to be overwhelmingly generous on a case-by-case basis. ;)\n\n#### What does a \"valid\" bug mean?\n\nThere are two sides to this:\n\n1. Some have spammed projects with invalid bug reports hoping to collect bounties for pressing a button and running an automated analysis tool. This is not cool.\n2. There is a potential for the developers of a project to declare all security bug reports as invalid to save money.\n\nOur team members have an established history of reporting vulnerabilities to large open source projects. **We aren't in the business of ripping people off.** When in doubt, our policy is to err on the side of generosity.\n\n## Scope\n\nWe're only interested in the *source* repositories in the [ParagonIE](https://github.com/paragonie) organization on Github that have at least seen a version `1.0.0` stable release, not any repositories we forked (which we usually only do when fixing a security vulnerability in the upstream repository). \n\nWe're not interested in trivial problems with our website (e.g. \"missing SPF headers\").\n\n### Please do *not* submit any of the following:\n\n* Any non-critical security concerns with our domain name and/or website\n* Very minor security concerns with alpha software (anything for which the latest release is not at least `1.0.0`)\n\n## No Proof-of-Concept Required\n\nWe might ask for one if we feel we do not understand some of the details pertaining to a specific vulnerability. We certainly appreciate them if you include them in your report, but we believe **the burden lies with the developer to prove their software *is* secure** rather than with the researcher to prove that it isn't.\n\nIn our experience, most bugs are simpler to fix than they are to exploit.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-05-20T16:39:03.476Z"},{"id":2233308,"new_policy":"# An Invitation to Security Researchers\n\nEvery company says they take security \"very seriously.\" Rather than bore anyone with banal boilerplate, here are some quick answers followed by detailed elaboration. If you have any questions about our policies, please email them to `scott@paragonie.com`.\n\n## IMPORTANT (2015-02-08)\n\nPlease do not test our website, it is completely out of scope until further notice due to a deluge of false positives being reported. Only our projects on Github. Thank you for understanding.\n\n## Quick Answers\n\n* There is no compulsion to disclose vulnerabilities privately, but we appreciate a head's up.\n* `security@paragonie.com` will get your reports to the right person. Our GPG  fingerprint, should you decide to encrypt your report, is `7F52 D5C6 1D12 55C7 3136  2E82 6B97 A1C2 8264 04DA`.\n* **YES**, we will reward security researchers who disclose vulnerabilities in our software.\n* In most cases, **No Proof-of-Concept Required.**\n* Please focus on the source repositories in our Github organization, **not our website** or any forks.\n* Our website, [paragonie.com](https://paragonie.com) is **strictly out of scope**.\n\n## How to Report a Security Bug to Paragon Initiative Enterprises\n\n### There is no compulsion to disclose privately.\n\nWe believe vulnerability disclosure style is a personal choice and enjoy working with a diverse community. We understand and appreciate the importance of Full Disclosure in the history and practice of security research.\n\nWe would *like* to know about high-severity bugs before they become public knowledge, so we can fix them in a timely manner, but **we do not believe in threatening researchers or trying to enforce vulnerability embargoes**.\n\nUltimately, if you discover a security-affecting vulnerability, what you do with it is your choice. We would like to work with people, and to celebrate and reward their skill, experience, and dedication. We appreciate being informed of our mistakes so we can learn from them and build a better product. Our goal is to empower the community.\n\n### Where to Send Security Vulnerabilities\n\nFeel free to submit them via HackerOne, or email them to our security team directly (`security@paragonie.com`). Also feel free to open a new issue on Github if you want to disclose publicly.\n\n```\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: GnuPG\n\nmQENBFUgwRUBCADcIpqNwyYc5UmY/tpx1sF/rQ3knR1YNXYZThzFV+Gmqhp1fDH5\nqBs9foh1xwI6O7knWmQngnf/nBumI3x6xj7PuOdEZUh2FwCG/VWnglW8rKmoHzHA\nivjiu9SLnPIPAgHSHeh2XD7q3Ndm3nenbjAiRFNl2iXcwA2cTQp9Mmfw9vVcw0G0\nz1o0G3s8cC8ZS6flFySIervvfSRWj7A1acI5eE3+AH/qXJRdEJ+9J8OB65p1JMfk\n6+fWgOB1XZxMpz70S0rW6IX38WDSRhEK2fXyZJAJjyt+YGuzjZySNSoQR/V6vNYn\nsyrNPCJ2i5CgZQxAkyBBcr7koV9RIhPRzct/ABEBAAG0IVNlY3VyaXR5IDxzZWN1\ncml0eUBwYXJhZ29uaWUuY29tPokBOQQTAQIAIwUCVSDBFQIbAwcLCQgHAwIBBhUI\nAgkKCwQWAgMBAh4BAheAAAoJEGuXocKCZATat2YIAIoejNFEQ2c1iaOEtSuB7Pn/\nWLbsDsHNLDKOV+UnfaCjv/vL7D+5NMChFCi2frde/NQb2TsjqmIH+V+XbnJtlrXD\nVj7yvMVal+Jqjwj7v4eOEWcKVcFZk+9cfUgh7t92T2BMX58RpgZF0IQZ6Z1R3FfC\n9Ub4X6ykW+te1q0/4CoRycniwmlQi6iGSr99LQ5pfJq2Qlmz/luTZ0UX0h575T7d\ncp2T1sX/zFRk/fHeANWSksipdDBjAXR7NMnYZgw2HghEdFk/xRDY7K1NRWNZBf05\nWrMHmh6AIVJiWZvI175URxEe268hh+wThBhXQHMhFNJM1qPIuzb4WogxM3UUD7m5\nAQ0EVSDBFQEIALNkpzSuJsHAHh79sc0AYWztdUe2MzyofQbbOnOCpWZebYsC3EXU\n335fIg59k0m6f+O7GmEZzzIv5v0i99GS1R8CJm6FvhGqtH8ZqmOGbc71WdJSiNVE\n0kpQoJlVzRbig6ZyyjzrggbM1eh5OXOk5pw4+23FFEdw7JWU0HJS2o71r1hwp05Z\nvy21kcUEobz/WWQQyGS0Neo7PJn+9KS6wOxXul/UE0jct/5f7KLMdWMJ1VgniQmm\nhjvkHLPSICteqCI04RfcmMseW9gueHQXeUu1SNIvsWa2MhxjeBej3pDnrZWszKwy\ngF45GO9/v4tkIXNMy5J1AtOyRgQ3IUMqp8EAEQEAAYkBHwQYAQIACQUCVSDBFQIb\nDAAKCRBrl6HCgmQE2jnIB/4/xFz8InpM7eybnBOAir3uGcYfs3DOmaKn7qWVtGzv\nrKpQPYnVtlU2i6Z5UO4c4jDLT/8Xm1UDz3Lxvqt4xCaDwJvBZexU5BMK8l5DvOzH\n6o6P2L1UDu6BvmPXpVZz7/qUhOnyf8VQg/dAtYF4/ax19giNUpI5j5o5mX5w80Rx\nqSXV9NdSL4fdjeG1g/xXv2luhoV53T1bsycI3wjk/x5tV+M2KVhZBvvuOm/zhJje\noLWp0saaESkGXIXqurj6gZoujJvSvzl0n9F9VwqMEizDUfrXgtD1siQGhP0sVC6q\nha+F/SAEJ0jEquM4TfKWWU2S5V5vgPPpIQSYRnhQW4b1\n=xJPW\n-----END PGP PUBLIC KEY BLOCK-----\n```\n\n### We Will Reward Security Researchers\n\nIf you report a valid security-affecting bug, we will compensate you for the time spent finding the vulnerability and reward you for being a good neighbor.\n\nCompensation will typically fall under these two categories:\n\n* Critical (Remote Code Execution, Catastrophic Cryptography Failure): $200+\n* Anything else: $50 to $199\n* Invalid bugs reports: Nothing\n* Anything related to our website, domain name, or infrastructure: *Nothing*, until further notice\n\nNote that we reserve the right to be overwhelmingly generous on a case-by-case basis. ;)\n\n#### What does a \"valid\" bug mean?\n\nThere are two sides to this:\n\n1. Some have spammed projects with invalid bug reports hoping to collect bounties for pressing a button and running an automated analysis tool. This is not cool.\n2. There is a potential for the developers of a project to declare all security bug reports as invalid to save money.\n\nOur team members have an established history of reporting vulnerabilities to large open source projects. **We aren't in the business of ripping people off.** When in doubt, our policy is to err on the side of generosity.\n\n## Scope\n\nWe're only interested in the *source* repositories in the [ParagonIE](https://github.com/paragonie) organization on Github that have at least seen a version `1.0.0` stable release, not in the security of our website (which mostly serves static content) or any repositories we forked (which we usually only do when fixing a security vulnerability in the upstream repository). \n\n### Please do *not* submit any of the following:\n\n* Any non-critical security concerns with our domain name and/or website\n* Very minor security concerns with alpha software (anything for which the latest release is not at least `1.0.0`)\n\n## No Proof-of-Concept Required\n\nWe might ask for one if we feel we do not understand some of the details pertaining to a specific vulnerability. We certainly appreciate them if you include them in your report, but we believe **the burden lies with the developer to prove their software *is* secure** rather than with the researcher to prove that it isn't.\n\nIn our experience, most bugs are simpler to fix than they are to exploit.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-02-08T04:22:40.968Z"},{"id":2233151,"new_policy":"# An Invitation to Security Researchers\n\nEvery company says they take security \"very seriously.\" Rather than bore anyone with banal boilerplate, here are some quick answers followed by detailed elaboration. If you have any questions about our policies, please email them to `scott@paragonie.com`.\n\n## Quick Answers\n\n* There is no compulsion to disclose vulnerabilities privately, but we appreciate a head's up.\n* `security@paragonie.com` will get your reports to the right person. Our GPG  fingerprint, should you decide to encrypt your report, is `7F52 D5C6 1D12 55C7 3136  2E82 6B97 A1C2 8264 04DA`.\n* **YES**, we will reward security researchers who disclose vulnerabilities in our software.\n* In most cases, **No Proof-of-Concept Required.**\n* Please focus on the source repositories in our Github organization, **not our website** or any forks.\n\n## How to Report a Security Bug to Paragon Initiative Enterprises\n\n### There is no compulsion to disclose privately.\n\nWe believe vulnerability disclosure style is a personal choice and enjoy working with a diverse community. We understand and appreciate the importance of Full Disclosure in the history and practice of security research.\n\nWe would *like* to know about high-severity bugs before they become public knowledge, so we can fix them in a timely manner, but **we do not believe in threatening researchers or trying to enforce vulnerability embargoes**.\n\nUltimately, if you discover a security-affecting vulnerability, what you do with it is your choice. We would like to work with people, and to celebrate and reward their skill, experience, and dedication. We appreciate being informed of our mistakes so we can learn from them and build a better product. Our goal is to empower the community.\n\n### Where to Send Security Vulnerabilities\n\nFeel free to submit them via HackerOne, or email them to our security team directly (`security@paragonie.com`). Also feel free to open a new issue on Github if you want to disclose publicly.\n\n```\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: GnuPG\n\nmQENBFUgwRUBCADcIpqNwyYc5UmY/tpx1sF/rQ3knR1YNXYZThzFV+Gmqhp1fDH5\nqBs9foh1xwI6O7knWmQngnf/nBumI3x6xj7PuOdEZUh2FwCG/VWnglW8rKmoHzHA\nivjiu9SLnPIPAgHSHeh2XD7q3Ndm3nenbjAiRFNl2iXcwA2cTQp9Mmfw9vVcw0G0\nz1o0G3s8cC8ZS6flFySIervvfSRWj7A1acI5eE3+AH/qXJRdEJ+9J8OB65p1JMfk\n6+fWgOB1XZxMpz70S0rW6IX38WDSRhEK2fXyZJAJjyt+YGuzjZySNSoQR/V6vNYn\nsyrNPCJ2i5CgZQxAkyBBcr7koV9RIhPRzct/ABEBAAG0IVNlY3VyaXR5IDxzZWN1\ncml0eUBwYXJhZ29uaWUuY29tPokBOQQTAQIAIwUCVSDBFQIbAwcLCQgHAwIBBhUI\nAgkKCwQWAgMBAh4BAheAAAoJEGuXocKCZATat2YIAIoejNFEQ2c1iaOEtSuB7Pn/\nWLbsDsHNLDKOV+UnfaCjv/vL7D+5NMChFCi2frde/NQb2TsjqmIH+V+XbnJtlrXD\nVj7yvMVal+Jqjwj7v4eOEWcKVcFZk+9cfUgh7t92T2BMX58RpgZF0IQZ6Z1R3FfC\n9Ub4X6ykW+te1q0/4CoRycniwmlQi6iGSr99LQ5pfJq2Qlmz/luTZ0UX0h575T7d\ncp2T1sX/zFRk/fHeANWSksipdDBjAXR7NMnYZgw2HghEdFk/xRDY7K1NRWNZBf05\nWrMHmh6AIVJiWZvI175URxEe268hh+wThBhXQHMhFNJM1qPIuzb4WogxM3UUD7m5\nAQ0EVSDBFQEIALNkpzSuJsHAHh79sc0AYWztdUe2MzyofQbbOnOCpWZebYsC3EXU\n335fIg59k0m6f+O7GmEZzzIv5v0i99GS1R8CJm6FvhGqtH8ZqmOGbc71WdJSiNVE\n0kpQoJlVzRbig6ZyyjzrggbM1eh5OXOk5pw4+23FFEdw7JWU0HJS2o71r1hwp05Z\nvy21kcUEobz/WWQQyGS0Neo7PJn+9KS6wOxXul/UE0jct/5f7KLMdWMJ1VgniQmm\nhjvkHLPSICteqCI04RfcmMseW9gueHQXeUu1SNIvsWa2MhxjeBej3pDnrZWszKwy\ngF45GO9/v4tkIXNMy5J1AtOyRgQ3IUMqp8EAEQEAAYkBHwQYAQIACQUCVSDBFQIb\nDAAKCRBrl6HCgmQE2jnIB/4/xFz8InpM7eybnBOAir3uGcYfs3DOmaKn7qWVtGzv\nrKpQPYnVtlU2i6Z5UO4c4jDLT/8Xm1UDz3Lxvqt4xCaDwJvBZexU5BMK8l5DvOzH\n6o6P2L1UDu6BvmPXpVZz7/qUhOnyf8VQg/dAtYF4/ax19giNUpI5j5o5mX5w80Rx\nqSXV9NdSL4fdjeG1g/xXv2luhoV53T1bsycI3wjk/x5tV+M2KVhZBvvuOm/zhJje\noLWp0saaESkGXIXqurj6gZoujJvSvzl0n9F9VwqMEizDUfrXgtD1siQGhP0sVC6q\nha+F/SAEJ0jEquM4TfKWWU2S5V5vgPPpIQSYRnhQW4b1\n=xJPW\n-----END PGP PUBLIC KEY BLOCK-----\n```\n\n### We Will Reward Security Researchers\n\nIf you report a valid security-affecting bug, we will compensate you for the time spent finding the vulnerability and reward you for being a good neighbor.\n\nCompensation will typically fall under these two categories:\n\n* Critical (Remote Code Execution, Catastrophic Cryptography Failure): $200+\n* Anything else: $50 to $199\n* Invalid bugs reports: Nothing\n\nNote that we reserve the right to be overwhelmingly generous on a case-by-case basis. ;)\n\n#### What does a \"valid\" bug mean?\n\nThere are two sides to this:\n\n1. Some have spammed projects with invalid bug reports hoping to collect bounties for pressing a button and running an automated analysis tool. This is not cool.\n2. There is a potential for the developers of a project to declare all security bug reports as invalid to save money.\n\nOur team members have an established history of reporting vulnerabilities to large open source projects. **We aren't in the business of ripping people off.** When in doubt, our policy is to err on the side of generosity.\n\n## Scope\n\nWe're mostly interested in the *source* repositories in the [ParagonIE](https://github.com/paragonie) organization on Github that have at least seen a version `1.0.0` stable release, not in the security of our website (which mostly serves static content) or any repositories we forked (which we usually only do when fixing a security vulnerability in the upstream repository). \n\n### Please do *not* submit any of the following:\n\n* Very minor security concerns (e.g. \"missing best practice\") with our domain name and/or website\n* Very minor security concerns with alpha software (anything for which the latest release is not at least `1.0.0`)\n\nIf you, however, find a vulnerability that allows you to compromise our server (e.g. SQL injection, Remote Code Execution), then we'll make an exception and award you a bounty anyway.\n\n## No Proof-of-Concept Required\n\nWe might ask for one if we feel we do not understand some of the details pertaining to a specific vulnerability. We certainly appreciate them if you include them in your report, but we believe **the burden lies with the developer to prove their software *is* secure** rather than with the researcher to prove that it isn't.\n\nIn our experience, most bugs are simpler to fix than they are to exploit.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-02-08T02:05:14.526Z"},{"id":2233150,"new_policy":"# An Invitation to Security Researchers\n\nEvery company says they take security \"very seriously.\" Rather than bore anyone with banal boilerplate, here are some quick answers followed by detailed elaboration. If you have any questions about our policies, please email them to `scott@paragonie.com`.\n\n## Quick Answers\n\n* There is no compulsion to disclose vulnerabilities privately, but we appreciate a head's up.\n* `security@paragonie.com` will get your reports to the right person. Our GPG  fingerprint, should you decide to encrypt your report, is `7F52 D5C6 1D12 55C7 3136  2E82 6B97 A1C2 8264 04DA`.\n* **YES**, we will reward security researchers who disclose vulnerabilities in our software.\n* In most cases, **No Proof-of-Concept Required.**\n* Please focus on the source repositories in our Github organization, **not our website** or any forks.\n\n## How to Report a Security Bug to Paragon Initiative Enterprises\n\n### There is no compulsion to disclose privately.\n\nWe believe vulnerability disclosure style is a personal choice and enjoy working with a diverse community. We understand and appreciate the importance of Full Disclosure in the history and practice of security research.\n\nWe would *like* to know about high-severity bugs before they become public knowledge, so we can fix them in a timely manner, but **we do not believe in threatening researchers or trying to enforce vulnerability embargoes**.\n\nUltimately, if you discover a security-affecting vulnerability, what you do with it is your choice. We would like to work with people, and to celebrate and reward their skill, experience, and dedication. We appreciate being informed of our mistakes so we can learn from them and build a better product. Our goal is to empower the community.\n\n### Where to Send Security Vulnerabilities\n\nFeel free to submit them via HackerOne, or email them to our security team directly (`security@paragonie.com`). Also feel free to open a new issue on Github if you want to disclose publicly.\n\n```\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: GnuPG\n\nmQENBFUgwRUBCADcIpqNwyYc5UmY/tpx1sF/rQ3knR1YNXYZThzFV+Gmqhp1fDH5\nqBs9foh1xwI6O7knWmQngnf/nBumI3x6xj7PuOdEZUh2FwCG/VWnglW8rKmoHzHA\nivjiu9SLnPIPAgHSHeh2XD7q3Ndm3nenbjAiRFNl2iXcwA2cTQp9Mmfw9vVcw0G0\nz1o0G3s8cC8ZS6flFySIervvfSRWj7A1acI5eE3+AH/qXJRdEJ+9J8OB65p1JMfk\n6+fWgOB1XZxMpz70S0rW6IX38WDSRhEK2fXyZJAJjyt+YGuzjZySNSoQR/V6vNYn\nsyrNPCJ2i5CgZQxAkyBBcr7koV9RIhPRzct/ABEBAAG0IVNlY3VyaXR5IDxzZWN1\ncml0eUBwYXJhZ29uaWUuY29tPokBOQQTAQIAIwUCVSDBFQIbAwcLCQgHAwIBBhUI\nAgkKCwQWAgMBAh4BAheAAAoJEGuXocKCZATat2YIAIoejNFEQ2c1iaOEtSuB7Pn/\nWLbsDsHNLDKOV+UnfaCjv/vL7D+5NMChFCi2frde/NQb2TsjqmIH+V+XbnJtlrXD\nVj7yvMVal+Jqjwj7v4eOEWcKVcFZk+9cfUgh7t92T2BMX58RpgZF0IQZ6Z1R3FfC\n9Ub4X6ykW+te1q0/4CoRycniwmlQi6iGSr99LQ5pfJq2Qlmz/luTZ0UX0h575T7d\ncp2T1sX/zFRk/fHeANWSksipdDBjAXR7NMnYZgw2HghEdFk/xRDY7K1NRWNZBf05\nWrMHmh6AIVJiWZvI175URxEe268hh+wThBhXQHMhFNJM1qPIuzb4WogxM3UUD7m5\nAQ0EVSDBFQEIALNkpzSuJsHAHh79sc0AYWztdUe2MzyofQbbOnOCpWZebYsC3EXU\n335fIg59k0m6f+O7GmEZzzIv5v0i99GS1R8CJm6FvhGqtH8ZqmOGbc71WdJSiNVE\n0kpQoJlVzRbig6ZyyjzrggbM1eh5OXOk5pw4+23FFEdw7JWU0HJS2o71r1hwp05Z\nvy21kcUEobz/WWQQyGS0Neo7PJn+9KS6wOxXul/UE0jct/5f7KLMdWMJ1VgniQmm\nhjvkHLPSICteqCI04RfcmMseW9gueHQXeUu1SNIvsWa2MhxjeBej3pDnrZWszKwy\ngF45GO9/v4tkIXNMy5J1AtOyRgQ3IUMqp8EAEQEAAYkBHwQYAQIACQUCVSDBFQIb\nDAAKCRBrl6HCgmQE2jnIB/4/xFz8InpM7eybnBOAir3uGcYfs3DOmaKn7qWVtGzv\nrKpQPYnVtlU2i6Z5UO4c4jDLT/8Xm1UDz3Lxvqt4xCaDwJvBZexU5BMK8l5DvOzH\n6o6P2L1UDu6BvmPXpVZz7/qUhOnyf8VQg/dAtYF4/ax19giNUpI5j5o5mX5w80Rx\nqSXV9NdSL4fdjeG1g/xXv2luhoV53T1bsycI3wjk/x5tV+M2KVhZBvvuOm/zhJje\noLWp0saaESkGXIXqurj6gZoujJvSvzl0n9F9VwqMEizDUfrXgtD1siQGhP0sVC6q\nha+F/SAEJ0jEquM4TfKWWU2S5V5vgPPpIQSYRnhQW4b1\n=xJPW\n-----END PGP PUBLIC KEY BLOCK-----\n```\n\n### We Will Reward Security Researchers\n\nIf you report a valid security-affecting bug, we will compensate you for the time spent finding the vulnerability and reward you for being a good neighbor.\n\nCompensation will typically fall under these two categories:\n\n* Critical (Remote Code Execution, Catastrophic Cryptography Failure): $200+\n* Anything else: $50 to $199\n* Invalid bugs reports: Nothing\n\nNote that we reserve the right to be overwhelmingly generous on a case-by-case basis. ;)\n\n#### What does a \"valid\" bug mean?\n\nThere are two sides to this:\n\n1. Some have spammed projects with invalid bug reports hoping to collect bounties for pressing a button and running an automated analysis tool. This is not cool.\n2. There is a potential for the developers of a project to declare all security bug reports as invalid to save money.\n\nOur team members have an established history of reporting vulnerabilities to large open source projects. **We aren't in the business of ripping people off.** When in doubt, our policy is to err on the side of generosity.\n\n## Scope\n\nWe're mostly interested in the *source* repositories in the [ParagonIE](https://github.com/paragonie) organization on Github that have at least seen a version `1.0.0` stable release, not in the security of our website (which mostly serves static content) or any repositories we forked (which we usually only do when fixing a security vulnerability in the upstream repository). \n\n### Please do *not* submit any of the following:\n\n* Very minor security concerns (e.g. \"missing best practice\") with our domain name and/or website\n* Very minor security concerns with alpha software (anything for which the latest release is not at least `1.0.0`)\n\nIf you, however, find a vulnerability that allows you to compromise our server (e.g. SQL injection, Remote Code Execution), then we'll make an exception and award you a bounty anyway.\n\n### No Proof-of-Concept Required\n\nWe might ask for one if we feel we do not understand some of the details pertaining to a specific vulnerability. We certainly appreciate them if you include them in your report, but we believe **the burden lies with the developer to prove their software *is* secure** rather than with the researcher to prove that it isn't.\n\nIn our experience, most bugs are simpler to fix than they are to exploit.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-02-08T02:05:08.782Z"},{"id":2233149,"new_policy":"# An Invitation to Security Researchers\n\nEvery company says they take security \"very seriously.\" Rather than bore anyone with banal boilerplate, here are some quick answers followed by detailed elaboration. If you have any questions about our policies, please email them to `scott@paragonie.com`.\n\n## Quick Answers\n\n* There is no compulsion to disclose vulnerabilities privately, but we appreciate a head's up.\n* `security@paragonie.com` will get your reports to the right person. Our GPG  fingerprint, should you decide to encrypt your report, is `7F52 D5C6 1D12 55C7 3136  2E82 6B97 A1C2 8264 04DA`.\n* **YES**, we will reward security researchers who disclose vulnerabilities in our software.\n* In most cases, **No Proof-of-Concept Required.**\n* Please focus on the source repositories in our Github organization, **not our website** or any forks.\n\n## How to Report a Security Bug to Paragon Initiative Enterprises\n\n### There is no compulsion to disclose privately.\n\nWe believe vulnerability disclosure style is a personal choice and enjoy working with a diverse community. We understand and appreciate the importance of Full Disclosure in the history and practice of security research.\n\nWe would *like* to know about high-severity bugs before they become public knowledge, so we can fix them in a timely manner, but **we do not believe in threatening researchers or trying to enforce vulnerability embargoes**.\n\nUltimately, if you discover a security-affecting vulnerability, what you do with it is your choice. We would like to work with people, and to celebrate and reward their skill, experience, and dedication. We appreciate being informed of our mistakes so we can learn from them and build a better product. Our goal is to empower the community.\n\n### Where to Send Security Vulnerabilities\n\nFeel free to submit them via HackerOne, or email them to our security team directly (`security@paragonie.com`). Also feel free to open a new issue on Github if you want to disclose publicly.\n\n```\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: GnuPG\n\nmQENBFUgwRUBCADcIpqNwyYc5UmY/tpx1sF/rQ3knR1YNXYZThzFV+Gmqhp1fDH5\nqBs9foh1xwI6O7knWmQngnf/nBumI3x6xj7PuOdEZUh2FwCG/VWnglW8rKmoHzHA\nivjiu9SLnPIPAgHSHeh2XD7q3Ndm3nenbjAiRFNl2iXcwA2cTQp9Mmfw9vVcw0G0\nz1o0G3s8cC8ZS6flFySIervvfSRWj7A1acI5eE3+AH/qXJRdEJ+9J8OB65p1JMfk\n6+fWgOB1XZxMpz70S0rW6IX38WDSRhEK2fXyZJAJjyt+YGuzjZySNSoQR/V6vNYn\nsyrNPCJ2i5CgZQxAkyBBcr7koV9RIhPRzct/ABEBAAG0IVNlY3VyaXR5IDxzZWN1\ncml0eUBwYXJhZ29uaWUuY29tPokBOQQTAQIAIwUCVSDBFQIbAwcLCQgHAwIBBhUI\nAgkKCwQWAgMBAh4BAheAAAoJEGuXocKCZATat2YIAIoejNFEQ2c1iaOEtSuB7Pn/\nWLbsDsHNLDKOV+UnfaCjv/vL7D+5NMChFCi2frde/NQb2TsjqmIH+V+XbnJtlrXD\nVj7yvMVal+Jqjwj7v4eOEWcKVcFZk+9cfUgh7t92T2BMX58RpgZF0IQZ6Z1R3FfC\n9Ub4X6ykW+te1q0/4CoRycniwmlQi6iGSr99LQ5pfJq2Qlmz/luTZ0UX0h575T7d\ncp2T1sX/zFRk/fHeANWSksipdDBjAXR7NMnYZgw2HghEdFk/xRDY7K1NRWNZBf05\nWrMHmh6AIVJiWZvI175URxEe268hh+wThBhXQHMhFNJM1qPIuzb4WogxM3UUD7m5\nAQ0EVSDBFQEIALNkpzSuJsHAHh79sc0AYWztdUe2MzyofQbbOnOCpWZebYsC3EXU\n335fIg59k0m6f+O7GmEZzzIv5v0i99GS1R8CJm6FvhGqtH8ZqmOGbc71WdJSiNVE\n0kpQoJlVzRbig6ZyyjzrggbM1eh5OXOk5pw4+23FFEdw7JWU0HJS2o71r1hwp05Z\nvy21kcUEobz/WWQQyGS0Neo7PJn+9KS6wOxXul/UE0jct/5f7KLMdWMJ1VgniQmm\nhjvkHLPSICteqCI04RfcmMseW9gueHQXeUu1SNIvsWa2MhxjeBej3pDnrZWszKwy\ngF45GO9/v4tkIXNMy5J1AtOyRgQ3IUMqp8EAEQEAAYkBHwQYAQIACQUCVSDBFQIb\nDAAKCRBrl6HCgmQE2jnIB/4/xFz8InpM7eybnBOAir3uGcYfs3DOmaKn7qWVtGzv\nrKpQPYnVtlU2i6Z5UO4c4jDLT/8Xm1UDz3Lxvqt4xCaDwJvBZexU5BMK8l5DvOzH\n6o6P2L1UDu6BvmPXpVZz7/qUhOnyf8VQg/dAtYF4/ax19giNUpI5j5o5mX5w80Rx\nqSXV9NdSL4fdjeG1g/xXv2luhoV53T1bsycI3wjk/x5tV+M2KVhZBvvuOm/zhJje\noLWp0saaESkGXIXqurj6gZoujJvSvzl0n9F9VwqMEizDUfrXgtD1siQGhP0sVC6q\nha+F/SAEJ0jEquM4TfKWWU2S5V5vgPPpIQSYRnhQW4b1\n=xJPW\n-----END PGP PUBLIC KEY BLOCK-----\n```\n\n### We Will Reward Security Researchers\n\nIf you report a valid security-affecting bug, we will compensate you for the time spent finding the vulnerability and reward you for being a good neighbor.\n\nCompensation will typically fall under these two categories:\n\n* Critical (Remote Code Execution, Catastrophic Cryptography Failure): $200+\n* Anything else: $50 to $199\n* Invalid bugs reports: Nothing\n\nNote that we reserve the right to be overwhelmingly generous on a case-by-case basis. ;)\n\n#### What does a \"valid\" bug mean?\n\nThere are two sides to this:\n\n1. Some have spammed projects with invalid bug reports hoping to collect bounties for pressing a button and running an automated analysis tool. This is not cool.\n2. There is a potential for the developers of a project to declare all security bug reports as invalid to save money.\n\nOur team members have an established history of reporting vulnerabilities to large open source projects. **We aren't in the business of ripping people off.** When in doubt, our policy is to err on the side of generosity.\n\n### Scope\n\nWe're mostly interested in the *source* repositories in the [ParagonIE](https://github.com/paragonie) organization on Github that have at least seen a version `1.0.0` stable release, not in the security of our website (which mostly serves static content) or any repositories we forked (which we usually only do when fixing a security vulnerability in the upstream repository). \n\nPlease do *not* submit any of the following:\n\n* Very minor security concerns (e.g. \"missing best practice\") with our domain name and/or website\n* Very minor security concerns with alpha software (anything for which the latest release is not at least `1.0.0`)\n\nIf you, however, find a vulnerability that allows you to compromise our server (e.g. SQL injection, Remote Code Execution), then we'll make an exception and award you a bounty anyway.\n\n### No Proof-of-Concept Required\n\nWe might ask for one if we feel we do not understand some of the details pertaining to a specific vulnerability. We certainly appreciate them if you include them in your report, but we believe **the burden lies with the developer to prove their software *is* secure** rather than with the researcher to prove that it isn't.\n\nIn our experience, most bugs are simpler to fix than they are to exploit.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-02-08T02:04:45.814Z"},{"id":2233147,"new_policy":"# An Invitation to Security Researchers\n\nEvery company says they take security \"very seriously.\" Rather than bore anyone with banal boilerplate, here are some quick answers followed by detailed elaboration. If you have any questions about our policies, please email them to `scott@paragonie.com`.\n\n## Quick Answers\n\n* There is no compulsion to disclose vulnerabilities privately, but we appreciate a head's up.\n* `security@paragonie.com` will get your reports to the right person. Our GPG  fingerprint, should you decide to encrypt your report, is `7F52 D5C6 1D12 55C7 3136  2E82 6B97 A1C2 8264 04DA`.\n* **YES**, we will reward security researchers who disclose vulnerabilities in our software.\n* In most cases, **No Proof-of-Concept Required.**\n* Please focus on the source repositories in our Github organization, **not our website** or any forks.\n\n## How to Report a Security Bug to Paragon Initiative Enterprises\n\n### There is no compulsion to disclose privately.\n\nWe believe vulnerability disclosure style is a personal choice and enjoy working with a diverse community. We understand and appreciate the importance of Full Disclosure in the history and practice of security research.\n\nWe would *like* to know about high-severity bugs before they become public knowledge, so we can fix them in a timely manner, but **we do not believe in threatening researchers or trying to enforce vulnerability embargoes**.\n\nUltimately, if you discover a security-affecting vulnerability, what you do with it is your choice. We would like to work with people, and to celebrate and reward their skill, experience, and dedication. We appreciate being informed of our mistakes so we can learn from them and build a better product. Our goal is to empower the community.\n\n### Where to Send Security Vulnerabilities\n\nFeel free to submit them via HackerOne, or email them to our security team directly (`security@paragonie.com`). Also feel free to open a new issue on Github if you want to disclose publicly.\n\n```\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: GnuPG\n\nmQENBFUgwRUBCADcIpqNwyYc5UmY/tpx1sF/rQ3knR1YNXYZThzFV+Gmqhp1fDH5\nqBs9foh1xwI6O7knWmQngnf/nBumI3x6xj7PuOdEZUh2FwCG/VWnglW8rKmoHzHA\nivjiu9SLnPIPAgHSHeh2XD7q3Ndm3nenbjAiRFNl2iXcwA2cTQp9Mmfw9vVcw0G0\nz1o0G3s8cC8ZS6flFySIervvfSRWj7A1acI5eE3+AH/qXJRdEJ+9J8OB65p1JMfk\n6+fWgOB1XZxMpz70S0rW6IX38WDSRhEK2fXyZJAJjyt+YGuzjZySNSoQR/V6vNYn\nsyrNPCJ2i5CgZQxAkyBBcr7koV9RIhPRzct/ABEBAAG0IVNlY3VyaXR5IDxzZWN1\ncml0eUBwYXJhZ29uaWUuY29tPokBOQQTAQIAIwUCVSDBFQIbAwcLCQgHAwIBBhUI\nAgkKCwQWAgMBAh4BAheAAAoJEGuXocKCZATat2YIAIoejNFEQ2c1iaOEtSuB7Pn/\nWLbsDsHNLDKOV+UnfaCjv/vL7D+5NMChFCi2frde/NQb2TsjqmIH+V+XbnJtlrXD\nVj7yvMVal+Jqjwj7v4eOEWcKVcFZk+9cfUgh7t92T2BMX58RpgZF0IQZ6Z1R3FfC\n9Ub4X6ykW+te1q0/4CoRycniwmlQi6iGSr99LQ5pfJq2Qlmz/luTZ0UX0h575T7d\ncp2T1sX/zFRk/fHeANWSksipdDBjAXR7NMnYZgw2HghEdFk/xRDY7K1NRWNZBf05\nWrMHmh6AIVJiWZvI175URxEe268hh+wThBhXQHMhFNJM1qPIuzb4WogxM3UUD7m5\nAQ0EVSDBFQEIALNkpzSuJsHAHh79sc0AYWztdUe2MzyofQbbOnOCpWZebYsC3EXU\n335fIg59k0m6f+O7GmEZzzIv5v0i99GS1R8CJm6FvhGqtH8ZqmOGbc71WdJSiNVE\n0kpQoJlVzRbig6ZyyjzrggbM1eh5OXOk5pw4+23FFEdw7JWU0HJS2o71r1hwp05Z\nvy21kcUEobz/WWQQyGS0Neo7PJn+9KS6wOxXul/UE0jct/5f7KLMdWMJ1VgniQmm\nhjvkHLPSICteqCI04RfcmMseW9gueHQXeUu1SNIvsWa2MhxjeBej3pDnrZWszKwy\ngF45GO9/v4tkIXNMy5J1AtOyRgQ3IUMqp8EAEQEAAYkBHwQYAQIACQUCVSDBFQIb\nDAAKCRBrl6HCgmQE2jnIB/4/xFz8InpM7eybnBOAir3uGcYfs3DOmaKn7qWVtGzv\nrKpQPYnVtlU2i6Z5UO4c4jDLT/8Xm1UDz3Lxvqt4xCaDwJvBZexU5BMK8l5DvOzH\n6o6P2L1UDu6BvmPXpVZz7/qUhOnyf8VQg/dAtYF4/ax19giNUpI5j5o5mX5w80Rx\nqSXV9NdSL4fdjeG1g/xXv2luhoV53T1bsycI3wjk/x5tV+M2KVhZBvvuOm/zhJje\noLWp0saaESkGXIXqurj6gZoujJvSvzl0n9F9VwqMEizDUfrXgtD1siQGhP0sVC6q\nha+F/SAEJ0jEquM4TfKWWU2S5V5vgPPpIQSYRnhQW4b1\n=xJPW\n-----END PGP PUBLIC KEY BLOCK-----\n```\n\n### We Will Reward Security Researchers\n\nIf you report a valid security-affecting bug, we will compensate you for the time spent finding the vulnerability and reward you for being a good neighbor.\n\nCompensation will typically fall under these two categories:\n\n* Critical (Remote Code Execution, Catastrophic Cryptography Failure): $200+\n* Anything else: $50 to $199\n* Invalid bugs reports: Nothing\n\nNote that we reserve the right to be overwhelmingly generous on a case-by-case basis. ;)\n\n#### What does a \"valid\" bug mean?\n\nThere are two sides to this:\n\n1. Some have spammed projects with invalid bug reports hoping to collect bounties for pressing a button and running an automated analysis tool. This is not cool.\n2. There is a potential for the developers of a project to declare all security bug reports as invalid to save money.\n\nOur team members have an established history of reporting vulnerabilities to large open source projects. **We aren't in the business of ripping people off.** When in doubt, our policy is to err on the side of generosity.\n\n### Scope\n\nWe're mostly interested in the *source* repositories in the [ParagonIE](https://github.com/paragonie) organization on Github, not in the security of our website (which mostly serves static content) or any repositories we forked (which we usually only do when fixing a security vulnerability in the upstream repository). \n\nIf you, however, find a vulnerability that allows you to compromise our server (e.g. SQL injection, Remote Code Execution), then we'll make an exception and award you a bounty anyway.\n\n### No Proof-of-Concept Required\n\nWe might ask for one if we feel we do not understand some of the details pertaining to a specific vulnerability. We certainly appreciate them if you include them in your report, but we believe **the burden lies with the developer to prove their software *is* secure** rather than with the researcher to prove that it isn't.\n\nIn our experience, most bugs are simpler to fix than they are to exploit.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-02-08T02:01:34.401Z"},{"id":2232752,"new_policy":"# An Invitation to Security Researchers\n\nEvery company says they take security \"very seriously.\" Rather than bore anyone with banal boilerplate, here are some quick answers followed by detailed elaboration. If you have any questions about our policies, please email them to `scott@paragonie.com`.\n\n## Quick Answers\n\n* There is no compulsion to disclose vulnerabilities privately, but we appreciate a head's up.\n* `security@paragonie.com` will get your reports to the right person. Our GPG  fingerprint, should you decide to encrypt your report, is `7F52 D5C6 1D12 55C7 3136  2E82 6B97 A1C2 8264 04DA`.\n* **YES**, we will reward security researchers who disclose vulnerabilities in our software.\n* In most cases, **No Proof-of-Concept Required.**\n* Please focus on the source repositories in our Github organization, not our website or any forks.\n\n## How to Report a Security Bug to Paragon Initiative Enterprises\n\n### There is no compulsion to disclose privately.\n\nWe believe vulnerability disclosure style is a personal choice and enjoy working with a diverse community. We understand and appreciate the importance of Full Disclosure in the history and practice of security research.\n\nWe would *like* to know about high-severity bugs before they become public knowledge, so we can fix them in a timely manner, but **we do not believe in threatening researchers or trying to enforce vulnerability embargoes**.\n\nUltimately, if you discover a security-affecting vulnerability, what you do with it is your choice. We would like to work with people, and to celebrate and reward their skill, experience, and dedication. We appreciate being informed of our mistakes so we can learn from them and build a better product. Our goal is to empower the community.\n\n### Where to Send Security Vulnerabilities\n\nFeel free to submit them via HackerOne, or email them to our security team directly (`security@paragonie.com`). Also feel free to open a new issue on Github if you want to disclose publicly.\n\n```\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: GnuPG\n\nmQENBFUgwRUBCADcIpqNwyYc5UmY/tpx1sF/rQ3knR1YNXYZThzFV+Gmqhp1fDH5\nqBs9foh1xwI6O7knWmQngnf/nBumI3x6xj7PuOdEZUh2FwCG/VWnglW8rKmoHzHA\nivjiu9SLnPIPAgHSHeh2XD7q3Ndm3nenbjAiRFNl2iXcwA2cTQp9Mmfw9vVcw0G0\nz1o0G3s8cC8ZS6flFySIervvfSRWj7A1acI5eE3+AH/qXJRdEJ+9J8OB65p1JMfk\n6+fWgOB1XZxMpz70S0rW6IX38WDSRhEK2fXyZJAJjyt+YGuzjZySNSoQR/V6vNYn\nsyrNPCJ2i5CgZQxAkyBBcr7koV9RIhPRzct/ABEBAAG0IVNlY3VyaXR5IDxzZWN1\ncml0eUBwYXJhZ29uaWUuY29tPokBOQQTAQIAIwUCVSDBFQIbAwcLCQgHAwIBBhUI\nAgkKCwQWAgMBAh4BAheAAAoJEGuXocKCZATat2YIAIoejNFEQ2c1iaOEtSuB7Pn/\nWLbsDsHNLDKOV+UnfaCjv/vL7D+5NMChFCi2frde/NQb2TsjqmIH+V+XbnJtlrXD\nVj7yvMVal+Jqjwj7v4eOEWcKVcFZk+9cfUgh7t92T2BMX58RpgZF0IQZ6Z1R3FfC\n9Ub4X6ykW+te1q0/4CoRycniwmlQi6iGSr99LQ5pfJq2Qlmz/luTZ0UX0h575T7d\ncp2T1sX/zFRk/fHeANWSksipdDBjAXR7NMnYZgw2HghEdFk/xRDY7K1NRWNZBf05\nWrMHmh6AIVJiWZvI175URxEe268hh+wThBhXQHMhFNJM1qPIuzb4WogxM3UUD7m5\nAQ0EVSDBFQEIALNkpzSuJsHAHh79sc0AYWztdUe2MzyofQbbOnOCpWZebYsC3EXU\n335fIg59k0m6f+O7GmEZzzIv5v0i99GS1R8CJm6FvhGqtH8ZqmOGbc71WdJSiNVE\n0kpQoJlVzRbig6ZyyjzrggbM1eh5OXOk5pw4+23FFEdw7JWU0HJS2o71r1hwp05Z\nvy21kcUEobz/WWQQyGS0Neo7PJn+9KS6wOxXul/UE0jct/5f7KLMdWMJ1VgniQmm\nhjvkHLPSICteqCI04RfcmMseW9gueHQXeUu1SNIvsWa2MhxjeBej3pDnrZWszKwy\ngF45GO9/v4tkIXNMy5J1AtOyRgQ3IUMqp8EAEQEAAYkBHwQYAQIACQUCVSDBFQIb\nDAAKCRBrl6HCgmQE2jnIB/4/xFz8InpM7eybnBOAir3uGcYfs3DOmaKn7qWVtGzv\nrKpQPYnVtlU2i6Z5UO4c4jDLT/8Xm1UDz3Lxvqt4xCaDwJvBZexU5BMK8l5DvOzH\n6o6P2L1UDu6BvmPXpVZz7/qUhOnyf8VQg/dAtYF4/ax19giNUpI5j5o5mX5w80Rx\nqSXV9NdSL4fdjeG1g/xXv2luhoV53T1bsycI3wjk/x5tV+M2KVhZBvvuOm/zhJje\noLWp0saaESkGXIXqurj6gZoujJvSvzl0n9F9VwqMEizDUfrXgtD1siQGhP0sVC6q\nha+F/SAEJ0jEquM4TfKWWU2S5V5vgPPpIQSYRnhQW4b1\n=xJPW\n-----END PGP PUBLIC KEY BLOCK-----\n```\n\n### We Will Reward Security Researchers\n\nIf you report a valid security-affecting bug, we will compensate you for the time spent finding the vulnerability and reward you for being a good neighbor.\n\nCompensation will typically fall under these two categories:\n\n* Critical (Remote Code Execution, Catastrophic Cryptography Failure): $200+\n* Anything else: $50 to $199\n* Invalid bugs reports: Nothing\n\nNote that we reserve the right to be overwhelmingly generous on a case-by-case basis. ;)\n\n#### What does a \"valid\" bug mean?\n\nThere are two sides to this:\n\n1. Some have spammed projects with invalid bug reports hoping to collect bounties for pressing a button and running an automated analysis tool. This is not cool.\n2. There is a potential for the developers of a project to declare all security bug reports as invalid to save money.\n\nOur team members have an established history of reporting vulnerabilities to large open source projects. **We aren't in the business of ripping people off.** When in doubt, our policy is to err on the side of generosity.\n\n### Scope\n\nWe're mostly interested in the *source* repositories in the [ParagonIE](https://github.com/paragonie) organization on Github, not in the security of our website (which mostly serves static content) or any repositories we forked (which we usually only do when fixing a security vulnerability in the upstream repository). \n\nIf you, however, find a vulnerability that allows you to compromise our server (e.g. SQL injection, Remote Code Execution), then we'll make an exception and award you a bounty anyway.\n\n### No Proof-of-Concept Required\n\nWe might ask for one if we feel we do not understand some of the details pertaining to a specific vulnerability. We certainly appreciate them if you include them in your report, but we believe **the burden lies with the developer to prove their software *is* secure** rather than with the researcher to prove that it isn't.\n\nIn our experience, most bugs are simpler to fix than they are to exploit.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-02-07T20:06:05.183Z"}]