Xsolla Bounty Program

In Scope

The program is limited to the web and mobile versions of the Xsolla website. Our profiles on Facebook, Twitter, Linkedin, Reddit, etc. and our partners’ websites, do not qualify.

Eligible for bounty:
*.xsolla.com
babka.com
80.lv

Eligible Vulnerabilities

Severity Range

1

Remote Code Execution

Critical

2

SQL Injection

High - Critical

3

XXE

High - Critical

4

Stored XSS

Medium - High

5

Server-Side Request Forgery

High - Critical

6

Directory Traversal - Local File Inclusion

High

7

Authentication/Authorization Bypass (Broken Access Control)

Medium - High

8

Privilege Escalation

Medium - High

9

Insecure Direct Object Reference

Medium - High

10

Reflected Cross Site Scripting

Medium

11

Misconfiguration

Low - High

12

Web Cache Deception

Low - Medium

13

CORS Misconfiguration

Low - Medium

14

CRLF Injection

Low - Medium

15

Cross Site Request Forgery

Low - Medium

16

Open Redirect

Low - Medium

17

Information Disclosure

Low - Medium

Non-eligible Vulnerabilities

1

Clickjacking

2

Self XSS

3

Email Spoofing - SPF Records Misconfiguration

rules

Rewards →

In Scope →

Out-of-Scope →

Rules of Engagement →

Payments →

Our Commitment →

Responsible Disclosure Policy →

Contact Us

Report Submission

By submitting a bug report you agree to comply with the Xsolla Bounty Program Policy, which forbids public or private disclosure of the details of any vulnerability or bug on Xsolla before the 30 days after the bug has been fixed.

By participating in this program, you agree to adhere to the above rules and conditions. All rules must be followed to be eligible for rewards.

Thank you, your submission has been received

Another bug report

This form is temporarily out of order. We're already working to restore it. Try leaving your request again later or contact us directly at support@xsolla.com.