Skip to content

Vulnerability Disclosure Policy

Introduction

At xpna, we are committed to providing a secure and reliable service for our customers. We value the contributions of security researchers and other members of the community who help us maintain a secure environment. This Vulnerability Disclosure Policy describes how to report security vulnerabilities to us, our commitment to addressing them, and the guidelines for responsible disclosure.

Scope

This policy applies to any security vulnerability that could impact the confidentiality, integrity, or availability of our services, systems, or data. This includes, but is not limited to, vulnerabilities in our website, applications, APIs, and infrastructure.


  • This policy applies to the xpna.app domain only. 
  • xpna.co is not an application domain and is not in scope. 
  • billing.xpna.co is managed by Stripe and is out of scope.

 

Reporting Vulnerabilities

To report a security vulnerability, please send an email to security@xpna.co with the following information:

  • A detailed description of the vulnerability, including the affected systems or services
  • Steps to reproduce the vulnerability
  • Any potential impact on users or data
  • Contact information for further communication

Please do not disclose the vulnerability publicly or share it with third parties until we have resolved the issue and given permission to disclose it.

Our Commitment

When you report a vulnerability in accordance with this policy, we commit to:

  • Acknowledging receipt of your report within 24 hours
  • Investigating the reported vulnerability promptly
  • Providing regular updates on the status of our investigation and resolution
  • Addressing the vulnerability as quickly as possible

Guidelines for Responsible Disclosure

To ensure responsible disclosure, we ask that you:

  • Do not engage in activities that could disrupt our services, such as denial-of-service attacks or unauthorized data access
  • Avoid accessing, modifying, or deleting data that is not your own
  • Do not publicly disclose the vulnerability until we have resolved it
  • Comply with all applicable laws

Legal Disclaimer

We will not take legal action against individuals who report vulnerabilities in accordance with this policy and act in good faith. However, we reserve the right to take legal action against individuals who violate this policy, engage in malicious activities, or cause harm to our services or users.