Xsolla Bounty Program

In Scope

The program is limited to the web and mobile versions of the Xsolla website. Our profiles on Facebook, Twitter, LinkedIn, Reddit, etc. and our partners’ websites, do not qualify.

Eligible for bounty:
*.xsolla.com
babka.com
80.lv

Eligible Vulnerabilities

 
Vulnerability
Severity Range
1
Remote Code Execution
Critical
2
SQL Injection
High - Critical
3
XXE
High - Critical
4
Stored XSS
Medium - High
5
Server-Side Request Forgery
High - Critical
6
Directory Traversal - Local File Inclusion
High
7
Authentication/Authorization Bypass (Broken Access Control)
Medium - High
8
Privilege Escalation
Medium - High
9
Insecure Direct Object Reference
Medium - High
10
Reflected Cross Site Scripting
Medium
11
Misconfiguration
Low - High
12
Web Cache Deception
Low - Medium
13
CORS Misconfiguration
Low - Medium
14
CRLF Injection
Low - Medium
15
Cross Site Request Forgery
Low - Medium
16
Open Redirect
Low - Medium
17
Information Disclosure
Low - Medium

Non-eligible Vulnerabilities

 
Vulnerability
1
Clickjacking
2
Self XSS
3
Email Spoofing - SPF Records Misconfiguration
Contact Us

Report Submission

By submitting a bug report you agree to comply with the Xsolla Bounty Program Policy, which forbids public or private disclosure of the details of any vulnerability or bug on Xsolla before the 30 days after the bug has been fixed.

By participating in this program, you agree to adhere to the above rules and conditions. All rules must be followed to be eligible for rewards.

Choose file...

Thank you, your submission has been received

This form is temporarily out of order. We’re already working to restore it. Try leaving your request again later or contact us directly at support@xsolla.com.