Responsible Disclosure of Bugs & Vulnerabilities

Last Updated: 26-Aug-2025

Hey there, bug hunters! We're so glad you're here to help us keep XposedOrNot (XON) safe and secure. I've set up this Responsible Disclosure Policy to make sure that everyone plays nice and helps us keep our services, website, and network safe from any pesky bugs or vulnerabilities.

If you find something that needs my attention, I appreciate your cooperation in responsibly investigating and reporting it so that I can fix it up faster than a speeding bullet. Your help in disclosing security vulnerabilities helps us keep all of our users safe and sound.

Guidelines for Reporting:


When you're reporting a bug or vulnerability, please make sure to include the following:
  1. A clear description of the bug or vulnerability, with some evidence like screen captures or output data. Don't be shy, we love to see what you've found!
  2. A description of the potential impact of the vulnerability, just so we know what we're dealing with.
  3. Your preferred name or handle so we can give you the recognition you deserve in our XON Security Researcher Hall of Fame.
  4. Exact steps to reproduce the issue so that we can replicate it on our end.
  5. A video proof of concept is always appreciated if you have one.
  6. Any relevant information about platforms, operating systems, versions, IP addresses, or URLs.
  7. Supporting evidence like logging or tracing data is always helpful.
  8. Your assessment of how exploitable the issue might be. We won't judge you if it's a 10 out of 10 on the exploitability scale.
Thanks for being an awesome bug hunter 🙌 and helping us keep XposedOrNot (XON) safe and sound!

Valid Submissions


  1. Local or Remote File Inclusion
  2. Authentication Bypass
  3. Directory Traversal
  4. Unauthorized/un-intended data leakage
  5. Remote code execution (RCE)
  6. SQL/XXE Injection and command injection
  7. Cross-Site Scripting (XSS)
  8. Server side request forgery (SSRF)
  9. Misconfiguration issues on servers or API
  10. Authentication and Authorization related issues
  11. Cross site request forgeries (CSRF)

In Scope Domains


Primary Domain: xposedornot.com

Subdomains: All subdomains of xposedornot.com (*.xposedornot.com)


This includes but is not limited to: api.xposedornot.com, passwords.xposedornot.com, plus.xposedornot.com and any future subdomains.


Uses of information


We promise to keep all information about you and our services confidential. So please, don't spill the beans to anyone outside of our team!

We're all about making the internet a safer place, and we appreciate security researchers who help us achieve that. So, a big thanks 🙏 to you for being a part of that effort! By responsibly disclosing any bugs or vulnerabilities you find, you're helping us protect our users and their data.

Acceptable Use Policy


Just a heads up - this isn't your typical bug bounty program where we offer cash rewards for vulnerability submissions. We're not made of money (yet). However, if you do report something important to us, we might just show you some love and appreciation in return!

Just make sure to keep it ethical, okay? We expect you to act like a good citizen of the internet and follow the rules we've laid out in our Acceptable Use Policy. But if you do that, we'll happily give you some recognition on our Hall of Fame page - which is kind of like our version of the Hollywood Walk of Fame, but for security researchers. So go ahead, show off your skills and help us make XposedOrNot a safer place for everyone!

Bug Reporters - Expectations


Bug hunters, we're excited to have you on board in helping us make XposedOrNot a safer place for everyone! Before you get started, here are a few things we expect from you:

  1. Please don't do anything that would hurt or disrupt XposedOrNot or our users.
  2. We'll send you an acknowledgment within 1-3 days of receiving your report.
  3. Respect the privacy of our users and don't try to snoop around their accounts.
  4. Only test on your own accounts and email addresses.
  5. If you find a critical vulnerability that gives you access to our webserver or API, please stop there and let us take over.
  6. Don't share any details about the issue until we've resolved it.
  7. If you try to exploit the vulnerability for personal gain, we'll have to disqualify your report.

We appreciate your cooperation in helping us keep our platform secure. Let's work together to make XposedOrNot the best it can be!

Reporting Guidelines

Thank you for looking out for us! If you've discovered a bug or security vulnerability in XposedOrNot, we'd love to hear about it. You can report it via email at deva @ xposedornot.com or tweet at us @DevaOnBreaches.

Email : deva @ xposedornot.com
Twitter : DevaOnBreaches

Join us in shaping this fully open source site! Contributions welcome ❤️ at our GitHub.

Legal
Privacy Policy Terms
Community
Blog Our Repository
Trust
Transparency Responsible Disclosure Status
Follow Us
Twitter Facebook Mastodon