Bug Bounty and Whitehat Responsibility Disclosure

At XPal we take security very seriously and recognize the value external security researchers can bring to the overall security of XPal ’s platform. If you believe that you have found a security vulnerability on XPal, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.

Before reporting, please review this page including the process and exceptions sections.

We have given out rewards for reported bugs and vulnerabilities, but these are discretionary and provided on a case-by-case basis. Our typical reward is between $50 and $1000 USD. According to the acceptable Whitehat reward scale, this is a sample of the reward level:

Minor: $50; Moderate: $250; Major: $500; Critical: $1000.

How to Submit an issue

  • Read these guidelines, ensuring that you follow the process, and your issue is in scope.
  • Submit the issue via email to Support@xpal.com

Bug Bounty Process

Your submission will be reviewed and validated by a member of the Network and Security Team.

Depending upon the severity of your issue, it may take us between one day and a week to respond to you, please use the above email contact method instead.

  • When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.
  • When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate.
  • Report a security bug: identify a vulnerability in our services or infrastructure which creates a security or privacy risk. (Note that XPal ultimately determines the risk of an issue, and that many software bugs are not security issues.) Report the vulnerability upon discovery or as soon as is feasible.

Eligible Vulnerabilities

We encourage the coordinated disclosure of the following eligible app application vulnerabilities:

  1. Server-side code execution
  2. Authentication or authorization flaws
  3. SQL Injection Vulnerabilities
  4. Directory Traversal
  5. Information Disclosure
  6. Significant Security Misconfiguration (please follow best practice when reporting subdomain takeovers)

Note that third-party applications or websites not owned or controlled by XPal are not within the scope of the program.

To receive credit, you must be the first reporter of a vulnerability. When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.

Terms & Conditions

For you to participate in this program, we ask that:

  • You give us reasonable time to investigate and mitigate an issue that you report before making any information about the report public or sharing such information with others.
  • You do not exploit a security issue that you discover for any reason.
  • You do not violate any other applicable laws or regulations.
  • You do not interact with an individual account (which includes modifying or accessing data from the account) without the account owner's explicit consent in writing, which you must produce upon request.
  • You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data, and interruption or degradation of our services. You must not intentionally violate any applicable laws or regulations, including (but not limited to) laws and regulations prohibiting the unauthorized access to data.
  • If you inadvertently access another person's data or XPal company data without authorization while investigating an issue, you must promptly cease any activity that might result in further access of user or XPal company data and notify XPal what information was accessed (including a full description of the contents of the information) and then immediately delete the information from your system. Continuing to access another person's data or company data may demonstrate a lack of good faith and disqualify you from any benefit of the Safe Harbor Provisions described below. You must also acknowledge the inadvertent access in any related bug bounty report that you may subsequently submit. You may not share the inadvertently accessed information with anyone else.
  • Not be employed by or a contractor/vendor of XPal or its subsidiaries or affiliates, or be an immediate family member of a person employed by XPal or its subsidiaries or affiliates (defined for these purposes as including spouse, domestic partner, parent, legal guardian, legal ward, child, and sibling, and each of their respective spouses, and individuals living in the same household as such individuals).
  • Not be less than 18 years of age - if you are at least 18 years old but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating.

Please send all reports to: support@xpal.com or xID 123 456 789. Any reward payments will be made by PayPal.

PLEASE NOTE: these terms are subject to change. For the latest version you must contact customer support as xID 123 456 789.