How to report
Contact the team through our Telegram channel (@parquetexchange) to open a private line — message the channel to say you have a security report and ask an operator to follow up privately. Do not post vulnerability details in the public channel and do not open a GitHub issue; share the description and, ideally, a proof of concept or reproduction steps only once an operator has moved the conversation to a private message.
Please give us a reasonable window to investigate and ship a fix before disclosing the issue anywhere publicly.
Scope
In scope:- The six on-chain programs (the perp engine, oracle adapter, liquidity pool, staking, fee distributor, and price-feed programs). See Contracts for the program IDs.
- The public, read-only indexer API (developer reference available on request — see Developer docs).
Good-faith safe harbor
We will not pursue or support legal action against researchers who, in good faith:- Report a vulnerability through the private channel above.
- Avoid privacy violations, data destruction, and any disruption to the protocol or other users.
- Give us a reasonable opportunity to remediate before any public disclosure.