Vulnerability Disclosure Policy
Introduction
At xpna, we are committed to providing a secure and reliable service for our customers. We value the contributions of security researchers and other members of the community who help us maintain a secure environment. This Vulnerability Disclosure Policy describes how to report security vulnerabilities to us, our commitment to addressing them, and the guidelines for responsible disclosure.
Scope
This policy applies to any security vulnerability that could impact the confidentiality, integrity, or availability of our services, systems, or data. This includes, but is not limited to, vulnerabilities in our website, applications, APIs, and infrastructure.- This policy applies to the xpna.app domain only.
- xpna.co is not an application domain and is not in scope.
- help.xpna.app is not an application domain and is not in scope.
- billing.xpna.co is managed by Stripe and is not in scope.
Reporting Vulnerabilities
To report a security vulnerability, please send an email to security@xpna.co with the following information:
- A detailed description of the vulnerability, including the affected systems or services
- Steps to reproduce the vulnerability
- Any potential impact on users or data
- Contact information for further communication
Please do not disclose the vulnerability publicly or share it with third parties until we have resolved the issue and given permission to disclose it.
Our Commitment
When you report a vulnerability in accordance with this policy, we commit to:
- Acknowledging receipt of your report within one working day
- Investigating the reported vulnerability promptly
- Providing regular updates on the status of our investigation and resolution
- Addressing the vulnerability as quickly as possible
Guidelines for Responsible Disclosure
To ensure responsible disclosure, we ask that you:
- Do not engage in activities that could disrupt our services, such as denial-of-service attacks or unauthorized data access
- Avoid accessing, modifying, or deleting data that is not your own
- Do not publicly disclose the vulnerability until we have resolved it
- Comply with all applicable laws
Legal Disclaimer
We will not take legal action against individuals who report vulnerabilities in accordance with this policy and act in good faith. However, we reserve the right to take legal action against individuals who violate this policy, engage in malicious activities, or cause harm to our services or users.