Vulnerability Disclosure Policy
If you've identified a potential security flaw in our infrastructure or software, please responsibly disclose it via our HackerOne program.
​
If you've identified a potential security incident, please let us know immediately using GPG encryption.
​
Prior to reporting, please review the following information including our responsible disclosure policy. Scope, reward information, and other guidelines can be found on HackerOne.
01/
01/
Responsible Disclosure Policy
Palantir is proud to base our responsible disclosure policy on the https://disclose.io/ vulnerability disclosure framework. Security is one of our core tenets at Palantir, and we value the input of security professionals acting in good faith to help us maintain a high standard for the security and privacy of our users. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.
You may find the full contents of our responsible disclosure policy, including scope and bug bounty rewards, on our HackerOne public bug-bounty program page.
02/
Reporting
To report a potential security issue or vulnerability in our products or infrastructure, please follow this reporting process:
​
-
Compile as much technical information as possible, including steps to reproduce and validate the issue.
-
Open a report on our HackerOne public bug-bounty program page.
-
Please allow up to 5 business days for confirmation of the reported issue.
To report a potential security incident, please follow this reporting process:​
-
Compile as much technical information as possible, including steps to reproduce and validate the issue.
-
Encrypt the email contents using our GPG key.
-
Notify the Palantir Computer Incident Response Team (CIRT) immediately by emailing cirt@palantir.com. Please provide the best means of return communication.