IN SCOPE

The program is limited to the web and mobile versions of the Xsolla website. Our profiles on Facebook, Twitter, LinkedIn, Reddit, etc. and our partners’ websites, do not qualify.

Eligible for bounty:

*.xsolla.com

80.lv

story3.com

golightstream.com (rainmaker.gg excluded)

api.stream

ELIGIBLE VULNERABILITIES
VULNERABILITYSEVERITY RANGE
Remote Code ExecutionCritical
SQL InjectionHigh - Critical
XXEHigh - Critical
Stored XSSMedium - High
Server-Side Request ForgeryHigh - Critical
Directory Traversal - Local File InclusionHigh
Authentication/Authorization Bypass (Broken Access Control)Medium - High
Privilege EscalationMedium - High
Insecure Direct Object ReferenceMedium - High
Reflected Cross Site ScriptingMedium
MisconfigurationLow - High
Web Cache DeceptionLow - Medium
CORS MisconfigurationLow - Medium
CRLF InjectionLow - Medium
Cross Site Request ForgeryLow - Medium
Open RedirectLow - Medium
Information DisclosureLow - Medium
CONTACT US
REPORT SUBMISSION

By submitting a bug report you agree to comply with the Xsolla Bounty Program Policy, which forbids public or private disclosure of the details of any vulnerability or bug on Xsolla before the 30 days after the bug has been fixed.

By participating in this program, you agree to adhere to the above rules and conditions. All rules must be followed to be eligible for rewards.

Please make sure to use this User-Agent string for testing:xsolla-bugbounty-%your-email-before@%Learn more...
Average response time: 48 hours