By submitting a bug report you agree to comply with the [Xsolla Bounty Program Policy](/xsolla-bounty-program-terms-and-conditions), which forbids public or private disclosure of the details of any vulnerability or bug on Xsolla before the 30 days after the bug has been fixed.

By participating in this program, you agree to adhere to the above rules and conditions. All rules must be followed to be eligible for rewards.

REPORT SUBMISSION

Rules

#### OUT OF SCOPE
- Security Best Practices, i.e., Security Headers
- Social Engineering, Phishing
- Physical Attacks
- Missing Cookie Flags
- CSRF with minimal impact, i.e., Login CSRF, Logout CSRF
- Content Spoofing
- Stack Traces, Path Disclosure, Directory Listings
- SSL/TLS best practices
- Banner Grabbing
- CSV Injection
- Reflected File Download
- Reports on Out of dated browsers
- DOS/DDOS (including no Rate Limits and file size restrictions)
- Host header Injection without a demonstrable impact
- Scanner Outputs
- Vulnerabilities on Third Party Products
- User Enumeration
- Password Complexity
- HTTP Trace Method
- Issues found in third party software used by Xsolla
- Clickjacking 
- Self XSS 
- Email Spoofing - SPF Records Misconfiguration 
- Open redirect with host header injection
- Private IP addresses disclosure

Reports on:
- A payment being declined or not going through.
- A refund that hasn’t been approved, or funds haven’t reached your account yet.
- The payment system you’d like to use is temporarily unavailable or not available for your region/mobile carrier.
- You have not received the purchase or the bonus associated with it.
- Issues related to scheduled or unscheduled downtimes, connection issues, etc.
- Flaws found on our profiles on Facebook, Twitter, LinkedIn, Reddit, etc. and our partners’ websites.

For these and other payment-related issues, please contact our 24/7 Customer Service team at help.xsolla.com.


Out of scope

#### RULES OF ENGAGEMENT
Submit a [form](#form) below with a detailed report. This report should include clear information about security issues and their Impact. Reports without reproducible PoC will be closed as Informative.

Your report should include as much of the following as possible:

- Link to the page containing the bug or affected products/websites (if applicable)
- Type of bug
- Step-by-step instructions to reproduce and validation the bug
- Impact (why you think it’s a bug and what trouble or damage it’s causing)
- Recommendations for fixing/improving

Please follow these while submitting the report:

- Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Xsolla services
- Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Xsolla accounts that are not your own
- Do not attempt to target Xsolla employees or its customers, including social engineering attacks, phishing attacks or physical attacks
- Do not perform physical attacks against any Xsolla facility

Please make sure to use the User-Agent string xsolla-bugbounty-%your-email-before@% while testing

Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 15 requests per second to any particular service

Please note, use of scanning tools without the User-agent string above may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.

Once submitted, we will acknowledge that we have received your report with an automated reply to ask for more info if it is necessary, and will continue our conversation via email when/if applicable.
We will then review the information and work to validate the reported bug. In the event that a true bug is discovered, we will notify you.

Rules of Engagement

#### REWARDS
Our rewards are based on the severity of a vulnerability. We use CVSS 3.1 (Common Vulnerability Scoring Standard) to calculate severity.

We may pay more for unique, hard-to-find bugs, or for high-quality reports; we may also pay less for bugs with complex prerequisites that lower the risk of exploitation.

Please note, however, that reward decisions are up to the discretion of Xsolla. Issues may receive a lower severity due to the presence of compensating controls and context.

The amounts shown in the table should be considered the MAXIMUM amounts for each severity level, though bonuses may be given at Xsolla’s discretion.

| Severity |  Amount (in USD) |
|----------|------------------|
| Critical | $1,000 - $2,000  |
| High     | $800             |
| Medium   | $500             |
| Low      | $100             |

When duplicates occur, we award the first report that we can completely reproduce.

Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. We award bounties at the time of validation and will keep you posted as we work to resolve them. Although sometimes it can take more time to investigate the vulnerability severity and the bounty may be paid later.

Test only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners.


Rewards

#### IN SCOPE
The program is limited to the web and mobile versions of the Xsolla website. Our profiles on Facebook, Twitter, LinkedIn, Reddit, etc. and our partners’ websites, do not qualify.

Eligible for bounty:

*.xsolla.com

80.lv

story3.com

golightstream.com (rainmaker.gg excluded)

api.stream


##### ELIGIBLE VULNERABILITIES

| VULNERABILITY |  SEVERITY RANGE |
|----------|------------------|
| Remote Code Execution | Critical  |
| SQL Injection    | High - Critical |
|  XXE   | High - Critical    |
|  Stored XSS      | Medium - High             |
| Server-Side Request Forgery | High - Critical  |
| Directory Traversal - Local File Inclusion     | High             |
| Authentication/Authorization Bypass (Broken Access Control)   | Medium - High             |
| Privilege Escalation      | Medium - High             |
| Insecure Direct Object Reference | Medium - High  |
| Reflected Cross Site Scripting     | Medium             |
|  Misconfiguration   | Low - High             |
| Web Cache Deception      | Low - Medium             |
| CORS Misconfiguration | Low - Medium  |
| CRLF Injection     | Low - Medium             |
| Cross Site Request Forgery   | Low - Medium             |
| Open Redirect      | Low - Medium             |
| Information Disclosure     | Low - Medium              |

In Scope

#### PAYMENTS
You may choose to receive the funds in your PayPal account, in which case, you will have to acknowledge that the provided PayPal account is your personal account.

You may also choose to receive the amount as credit for any of the games Xsolla distributes. In this case, we will request your nickname/email associated with the account.


Payments 

#### RESPONSIBLE DISCLOSURE POLICY
We believe it is against the spirit of this program to disclose the flaw for purposes other than actually fixing the bug. Participants agree to not disclose bugs found until 30 days after they have been fixed, and to coordinate disclosure with our team through email to avoid confusion.

We will do our best to respond to your submission as quickly as possible, keep you updated on the fix, and award a bounty when appropriate.

Please do not hack user accounts, corrupt databases, or leak data that might be sensitive. We also discourage testing that degrades the quality of service for our users.



Responsible Disclosure Policy

Get quicker chat support in your Xsolla Wallet account.

Need help?

Log in to Xsolla Wallet account to get started!

Upload a file that has a max file size of 10mb.

File exceeds size limit.

Only MP4, MOV, JPG, PNG and GIF files are allowed.

Invalid file type

Thank you!

<strong>Stay ahead of the game!</strong> Subscribe to receive email updates from the <a href="https://xsolla.com/xsolla-brands" target="_blank">Xsolla Family</a> about the latest gaming releases, discounts, exclusives, rewards, events, and news

Xsolla Newsletter

In case of replacement your return address cannot be changed. If the Region/State field is left empty, please enter None

We’ll reply to your email once we’re done brewing the solution.