Our rewards are based on the severity of a vulnerability. We use CVSS 3.1 (Common Vulnerability Scoring Standard) to calculate severity.

We may pay more for unique, hard-to-find bugs, or for high-quality reports; we may also pay less for bugs with complex prerequisites that lower the risk of exploitation.

Please note, however, that reward decisions are up to the discretion of Xsolla. Issues may receive a lower severity due to the presence of compensating controls and context.

The amounts shown in the table should be considered the MAXIMUM amounts for each severity level, though bonuses may be given at Xsolla’s discretion.

SeverityAmount (in USD)
Critical$1,000 - $2,000

When duplicates occur, we award the first report that we can completely reproduce.

Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. We award bounties at the time of validation and will keep you posted as we work to resolve them. Although sometimes it can take more time to investigate the vulnerability severity and the bounty may be paid later.

Test only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners.


By submitting a bug report you agree to comply with the Xsolla Bounty Program Policy, which forbids public or private disclosure of the details of any vulnerability or bug on Xsolla before the 30 days after the bug has been fixed.

By participating in this program, you agree to adhere to the above rules and conditions. All rules must be followed to be eligible for rewards.

Please make sure to use this User-Agent string for testing:xsolla-bugbounty-%your-email-before@%Learn more...
Average response time: 48 hours