We believe it is against the spirit of this program to disclose the flaw for purposes other than actually fixing the bug. Participants agree to not disclose bugs found until 30 days after they have been fixed, and to coordinate disclosure with our team through email to avoid confusion.

We will do our best to respond to your submission as quickly as possible, keep you updated on the fix, and award a bounty when appropriate.

Please do not hack user accounts, corrupt databases, or leak data that might be sensitive. We also discourage testing that degrades the quality of service for our users.


By submitting a bug report you agree to comply with the Xsolla Bounty Program Policy, which forbids public or private disclosure of the details of any vulnerability or bug on Xsolla before the 30 days after the bug has been fixed.

By participating in this program, you agree to adhere to the above rules and conditions. All rules must be followed to be eligible for rewards.

Please make sure to use this User-Agent string for testing:xsolla-bugbounty-%your-email-before@%Learn more...
Average response time: 48 hours