Responsible Disclosure Policy

TERMS
Terms of UseCustomer AgreementData Processing Addendum (DPA)API Terms of ServiceAcceptable Use PolicyBrand Guidelines
COMPLIANCE
Privacy PolicySecurityResponsible DisclosureApplicant Privacy Notice & PolicyAccessibility StatementGDPR ComplianceSubprocessorsCookie Policy

Last Updated: 30 July 2025

At Xurrent, Inc. (“Xurrent”) we are committed to ensuring the security of our systems and the privacy of our users. We value the efforts of security researchers and ethical hackers who help us identify and remediate potential vulnerabilities. This Responsible Disclosure Policy provides a general guideline for submitting vulnerability reports to us.

Reporting A Security Vulnerability

If you believe you have discovered a security vulnerability in any of our systems, please report it to us immediately by following these steps:

  • Email Us: Send a detailed email to security@xurrent.com
  • Include Details: In your report, please include the following information:
    • Vulnerability Description: A clear and concise description of the vulnerability.
    • Steps to Reproduce: Detailed steps on how to reproduce the vulnerability.
    • Impact: Explain the potential impact of the vulnerability.
    • Proof of Concept: Any relevant proof of concept code, screenshots, or videos.
    • Affected Systems/URLs: Specify the affected systems, applications, or URLs.
    • Your Contact Information: Your name, email address, and any preferred method of contact (e.g., PGP key).
  • Encrypt Your Report (Optional but Recommended): If you are comfortable, you may encrypt your report using our PGP key, which can be found on our website.

Our Commitment

Upon receiving your vulnerability report, we commit to the following:

  • Acknowledgement: We will acknowledge receipt of your report within 3 business days.
  • Investigation: We will investigate the reported vulnerability.
  • Communication: We will keep you informed of our progress throughout the investigation and remediation process.
  • Remediation: We will make every effort to address and remediate valid vulnerabilities promptly, based on their severity.
  • Recognition: For valid and impactful vulnerabilities reported in accordance with this policy, we will offer public recognition (with your consent) in our "Hall of Fame" or a similar acknowledgment.

Guidelines for Responsible Disclosure

To ensure a smooth and productive disclosure process, we kindly request that you adhere to the following guidelines:

  • Only perform assessments on systems and applications that are explicitly within the scope of this policy.
  • Use your own test account for all testing activities; do not use customer accounts under any circumstances.
  • Conduct all testing in good faith, with the primary goal of improving our security posture.
  • Do not access, modify, or delete any user data without explicit written permission.
  • Do not attempt to compromise the confidentiality, integrity, or availability of our systems or customer data.
  • Do not circumvent or bypass any privacy or security controls we have in place.
  • Avoid any actions that could lead to degradation of service or denial of service (DoS/DDoS) for our users.
  • Do not use automated scanners or tools that may generate excessive traffic or cause disruptions.
  • Social engineering, phishing, or physical attacks against our employees, customers, vendors or infrastructure are strictly prohibited.

Responsible Disclosure

  • Do not publicly share any details of identified vulnerabilities including proof of concept code, screenshots, or technical information without explicit written consent from Xurrent.

Out-of-Scope Vulnerabilities

The following are not considered security vulnerabilities and are out of scope for this program:

Findings that do not demonstrably impact the confidentiality, integrity, security, or availability of our systems, data, or users are considered informational and out of scope. This includes "good-to-have" improvements like general hardening recommendations, security best practices, or hygiene issues that do not pose a practical or exploitable risk.

  • Clickjacking on non-sensitive or static content pages
  • Rate limiting or brute-force attacks on endpoints that do not expose sensitive data
  • Missing or non-standard HTTP security headers (e.g., X-Frame-Options, Content-Security-Policy) without a demonstrable security impact
  • Vulnerabilities in third party services, libraries, or software not maintained or controlled by Xurrent
  • Self XSS, or XSS that requires the user to input code into their own browser console
  • Social engineering or phishing attacks requiring significant user interaction or external influence
  • Recommendations or theoretical weaknesses without concrete, reproducible exploit paths
  • Automated scanner output without manual validation, impact analysis, or proof-of-concept
  • Use of known/weak cipher suites unless it results in a practical, exploitable vulnerability
  • Missing HttpOnly or Secure flags on non-sensitive cookies
  • Use of deprecated libraries without a clear and demonstrable vulnerability
  • CSRF on logout or non-sensitive actions that do not modify user data or settings
  • Email bombing or spam that does not bypass rate limits or cause service disruption
  • Open redirects without a proven exploit chain leading to sensitive data theft or phishing

In-Scope Targets

Hall Of Fame

While Xurrent does not provide any monetary reward for responsibly disclosing unique vulnerabilities and working with us to remediate them, we would like to convey our deepest gratitude to the security researchers publicly. We will add your name to our Hall of Fame.

Safe Harbor

Xurrent will not pursue legal action against individuals who:

  • Act in good faith and follow this Responsible Disclosure Policy;
  • Do not access, alter, or destroy user data;
  • Do not disrupt our services, compromise privacy, or take any other harmful action; and
  • Limit testing to in scope systems only.

If your research complies with this policy, it will not be considered by Xurrent to be unauthorized activity.

This safe harbor does not apply to actions involving malicious intent, data theft, service disruption or that are otherwise excluded by this policy, or actions that violate applicable laws. If you are unsure whether a particular activity is covered, please contact us at security@xurrent.com before proceeding.

Thank you for helping us keep our systems secure.