IN SCOPE

The program is limited to the web and mobile versions of the Xsolla website. Our profiles on Facebook, Twitter, LinkedIn, Reddit, etc. and our partners’ websites, do not qualify.

Eligible for bounty:

*.xsolla.com (accelerator.xsolla.com excluded)

80.lv

story3.com

golightstream.com (rainmaker.gg excluded)

api.stream

ELIGIBLE VULNERABILITIES
VULNERABILITYSEVERITY RANGE
Remote Code ExecutionCritical
SQL InjectionHigh - Critical
XXEHigh - Critical
Stored XSSMedium - High
Server-Side Request ForgeryHigh - Critical
Directory Traversal - Local File InclusionHigh
Authentication/Authorization Bypass (Broken Access Control)Medium - High
Insecure Direct Object ReferenceMedium - High
Reflected Cross Site ScriptingMedium
MisconfigurationLow - High
Web Cache DeceptionLow - Medium
CORS MisconfigurationLow - Medium
CRLF InjectionLow - Medium
Cross Site Request ForgeryLow - Medium
Open RedirectLow - Medium
Information DisclosureLow - Medium
Privilege EscalationMedium - High
CONTACT US
REPORT SUBMISSION

By submitting a bug report, you agree to comply with the Xsolla Bounty Program Policy, which prohibits both public and private disclosure of any vulnerability or bug details related to Xsolla.

By participating in this program, you agree to adhere to the above rules and conditions. All rules must be followed to be eligible for rewards.

Please make sure to use this User-Agent string for testing:xsolla-bugbounty-%your-email-before@%Learn more...
Average response time : 48 hours for tickets