Skip to main content
If you believe you have found a security vulnerability in Parquet, please report it privately. Do not open a public GitHub issue and do not post details in the public Telegram channel — public disclosure of an unpatched flaw puts every trader’s funds at risk.

How to report

Contact the team through our Telegram channel (@parquetexchange) to open a private line — message the channel to say you have a security report and ask an operator to follow up privately. Do not post vulnerability details in the public channel and do not open a GitHub issue; share the description and, ideally, a proof of concept or reproduction steps only once an operator has moved the conversation to a private message. Please give us a reasonable window to investigate and ship a fix before disclosing the issue anywhere publicly.

Scope

In scope:
  • The six on-chain programs (the perp engine, oracle adapter, liquidity pool, staking, fee distributor, and price-feed programs). See Contracts for the program IDs.
  • The public, read-only indexer API (developer reference available on request — see Developer docs).
Out of scope: third-party infrastructure, dependencies, and services we do not operate; denial-of-service against public endpoints; and findings that require physical access to a user’s device or social engineering.

Good-faith safe harbor

We will not pursue or support legal action against researchers who, in good faith:
  • Report a vulnerability through the private channel above.
  • Avoid privacy violations, data destruction, and any disruption to the protocol or other users.
  • Give us a reasonable opportunity to remediate before any public disclosure.
Testing should never put other users’ funds or positions at risk. If in doubt about whether an action is in scope, ask first.