• Security Best Practices, i.e., Security Headers
  • Social Engineering, Phishing
  • Physical Attacks
  • Missing Cookie Flags
  • CSRF with minimal impact, i.e., Login CSRF, Logout CSRF
  • Content Spoofing
  • Stack Traces, Path Disclosure, Directory Listings
  • SSL/TLS best practices
  • Banner Grabbing
  • CSV Injection
  • Reflected File Download
  • Reports on Out of dated browsers
  • DOS/DDOS (including no Rate Limits and file size restrictions)
  • Host header Injection without a demonstrable impact
  • Scanner Outputs
  • Vulnerabilities on Third Party Products
  • User Enumeration
  • Password Complexity
  • HTTP Trace Method
  • Issues found in third party software used by Xsolla
  • Clickjacking
  • Self XSS
  • Email Spoofing - SPF Records Misconfiguration
  • Open redirect with host header injection

Reports on:

  • A payment being declined or not going through.
  • A refund that hasn’t been approved, or funds haven’t reached your account yet.
  • The payment system you’d like to use is temporarily unavailable or not available for your region/mobile carrier.
  • You have not received the purchase or the bonus associated with it.
  • Issues related to scheduled or unscheduled downtimes, connection issues, etc.
  • Flaws found on our profiles on Facebook, Twitter, LinkedIn, Reddit, etc. and our partners’ websites.

For these and other payment-related issues, please contact our 24/7 Customer Service team at help.xsolla.com.


By submitting a bug report you agree to comply with the Xsolla Bounty Program Policy, which forbids public or private disclosure of the details of any vulnerability or bug on Xsolla before the 30 days after the bug has been fixed.

By participating in this program, you agree to adhere to the above rules and conditions. All rules must be followed to be eligible for rewards.

Please make sure to use this User-Agent string for testing:xsolla-bugbounty-%your-email-before@%Learn more...
Average response time: 48 hours