Last Updated: 14th July, 2022
Responsible Disclosure Policy
xto10x is committed to ensuring the safety and security of our customers and employees and their information. We aim to foster an environment of trust, and an open partnership with the security community, and we recognize the importance of vulnerability disclosures and whistleblowers in continuing to ensure safety and security for all of our customers, employees and company. We have developed this policy to both reflect our corporate values and to uphold our legal responsibility to good-faith security researchers that are providing us with their expertise and whistleblowers who add an extra layer of security to our infrastructure.
The purpose of this policy is to allow for the reporting and disclosure of vulnerabilities discovered by external entities, and anonymous reporting of information security policy violations by internal entities.
xto10x's Responsible Disclosure Policy covers applies to xto10x's core platforms, website (xto10x.com), products and its information security infrastructure, and to internal and external employees or third parties.
How to Submit a Vulnerability
To submit a vulnerability report to xto10x's Security Team, please utilise the following email firstname.lastname@example.org.
Preference, Prioritisation, and Acceptance Criteria
We will use the following criteria to prioritise and triage submissions. What we would like to see from you:
- Well-written reports in English will have a higher probability of resolution.
- Reports that include proof-of-concept code equip us to better triage.
- Reports that include only crash dumps or other automated tool output may receive lower priority.
- Reports that include products not on the initial scope list may receive lower priority.
- Please include how you found the bug, the impact, and any potential remediation.
- You do not exploit a security vulnerability that you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues. )
- Violating any laws or breaching any agreements in order to discover vulnerabilities.
- You do not publicly disclose details of a security vulnerability that you've reported without xto10x's permission.
What can you expect from xto10x
- A timely response to your email (within 2 business days).
- After triage, we will send an expected timeline and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
- An open dialog to discuss issues.
- Notification when the vulnerability analysis has completed each stage of our review.
- If you want, publicly acknowledge your contribution
If we are unable to resolve communication issues or other problems, xto10x may bring in a neutral third party to assist in determining how best to handle the vulnerability.
We recognise security researchers who help us to keep users safe by reporting vulnerabilities in our services. Recognition for such reports are entirely at xto10x's discretion, based on risk, impact and other factors.
Any design or implementation issue that is reproducible and substantially affects the security of xto10x systems users is likely to be in scope for the program. Common examples include:
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Remote Code Execution (RCE)
- Authentication/Authorisation flaws
- Domain take-over vulnerabilities
- Able to take-over other xto10x user accounts (while testing, use your own another test account to validate)
- Any vulnerability that can affect the xto10x brand, user data and financial transactions
The following bugs are unlikely to be eligible:
- Vulnerabilities found through automated testing
- "Scanner output" or scanner-generated reports
- Publicly released CVE’s or 0-days in internet software within 90 days of their disclosure
- "Advisory" or "Informational" reports that do not include any xto10x testing or context
- Vulnerabilities requiring MITM or physical access to the victim’s unlocked device.
- Denial of Service attacks
- - SPF and DKIM issues
- - Content injection
- - Hyperlink injection in emails
- - IDN homograph attacks
- - RTL Ambiguity
- Content Spoofing
- Vulnerabilities relating to Password Policy
- Full-Path Disclosure on any property
- Version number information disclosure
- Third-party applications on the xto10x Application directory (identified by the existence of a "Report this app" link on the app's page). Please report vulnerabilities with these services to the creator of that specific application.
- Clickjacking on pre-authenticated pages, or the non-existence of X-Frame-Options, or other non-exploitable clickjacking vulnerabilities
- CSRF-able actions that do not require authentication (or a session) to exploit
- Reports related to the following security-related headers
- - Strict Transport Security (HSTS)
- - XSS mitigation headers (X-Content-Type and X-XSS-Protection)
- - X-Content-Type-Options
- - Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
- Bugs that do not represent any security risk
- Security bugs in third-party applications or services built on the xto10x API - please report them to the third party that built the application or service
- Security bugs in software related to an acquisition for a period of 90 days following any public announcement
- HTTP TRACE or OPTIONS methods enabled
- Non-sensitive (i.e., non-session) cookies missing the Secure or HttpOnly flags
- Tap jacking
- Mobile client issues require a rooted device and/or outdated OS version or SSL pinning issues.
- Subdomain takeovers without supporting evidence
- Missing best practices in SSL/TLS configuration.
- Open ports without an accompanying proof-of-concept demonstrating vulnerability
- Vulnerabilities in the whitehat report form
We do not have a bounty/cash reward program for such disclosures, but we express our gratitude for your contribution in different ways. For genuine ethical disclosures, we would be glad to publicly acknowledge your contribution in this section on our website. Of course, this will be done if you want a public acknowledgement.