Last Updated: 08-Mar-2021
Hey there, bug hunters! We're so glad you're here to help us keep XposedOrNot (XON) safe and
secure. I've set up this Responsible Disclosure Policy to make sure that everyone plays nice and helps
us keep our services, website, and network safe from any pesky bugs or vulnerabilities.
If you find something that needs my attention, I appreciate your cooperation in responsibly
investigating and reporting it so that I can fix it up faster than a speeding bullet. Your help in
disclosing security vulnerabilities helps us keep all of our users safe and sound.
Guidelines for Reporting:
When you're reporting a bug or vulnerability, please make sure to include the following:
- A clear description of the bug or vulnerability, with some evidence like screen captures or
output data. Don't be shy, we love to see what you've found!
- A description of the potential impact of the vulnerability, just so we know what we're dealing
with.
- Your preferred name or handle so we can give you the recognition you deserve in our XON
Security Researcher Hall of Fame.
- Exact steps to reproduce the issue so that we can replicate it on our end.
- A video proof of concept is always appreciated if you have one.
- Any relevant information about platforms, operating systems, versions, IP addresses, or URLs.
- Supporting evidence like logging or tracing data is always helpful.
- Your assessment of how exploitable the issue might be. We won't judge you if it's a 10 out of
10 on the exploitability scale.
Thanks for being an awesome bug hunter 🙌 and helping us keep XposedOrNot (XON) safe and sound!
Valid Submissions
- Local or Remote File Inclusion
- Authentication Bypass
- Directory Traversal
- Unauthorized/un-intended data leakage
- Remote code execution (RCE)
- SQL/XXE Injection and command injection
- Cross-Site Scripting (XSS)
- Server side request forgery (SSRF)
- Misconfiguration issues on servers or API
- Authentication and Authorization related issues
- Cross site request forgeries (CSRF)
In Scope Domains
- https://xposedornot.com
- https://api.xposedornot.com
- https://passwords.xposedornot.com
Uses of information
We promise to keep all information about you and our services confidential. So please, don't spill the
beans to anyone outside of our team!
We're all about making the internet a safer place, and we appreciate security researchers who help us
achieve that. So, a big thanks 🙏 to you for being a part of that effort! By responsibly disclosing
any bugs or vulnerabilities you find, you're helping us protect our users and their data.
Acceptable Use Policy
Just a heads up - this isn't your typical bug bounty program where we offer cash rewards for
vulnerability submissions. We're not made of money (yet). However, if you do report something
important to us, we might just show you some love and appreciation in return!
Just make sure to keep it ethical, okay? We expect you to act like a good citizen of the internet and
follow the rules we've laid out in our Acceptable Use Policy. But if you do that, we'll happily give
you some recognition on our Hall of Fame page - which is kind of like our version of the Hollywood
Walk of Fame, but for security researchers. So go ahead, show off your skills and help us make
XposedOrNot a safer place for everyone!
Bug Reporters - Expectations
Bug hunters, we're excited to have you on board in helping us make XposedOrNot a safer place for
everyone! Before you get started, here are a few things we expect from you:
- Please don't do anything that would hurt or disrupt XposedOrNot or our users.
- We'll send you an acknowledgment within 1-3 days of receiving your report.
- Respect the privacy of our users and don't try to snoop around their accounts.
- Only test on your own accounts and email addresses.
- If you find a critical vulnerability that gives you access to our webserver or API, please
stop there and let us take over.
- Don't share any details about the issue until we've resolved it.
- If you try to exploit the vulnerability for personal gain, we'll have to disqualify your
report.
We appreciate your cooperation in helping us keep our platform secure. Let's work together to make
XposedOrNot the best it can be!