Submit a form below with a detailed report. This report should include clear information about security issues and their Impact. Reports without reproducible PoC will be closed as Informative.

Your report should include as much of the following as possible:

  • Link to the page containing the bug or affected products/websites (if applicable)
  • Type of bug
  • Step-by-step instructions to reproduce and validation the bug
  • Impact (why you think it’s a bug and what trouble or damage it’s causing)
  • Recommendations for fixing/improving

Please follow these while submitting the report:

  • Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Xsolla services
  • Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Xsolla accounts that are not your own
  • Do not attempt to target Xsolla employees or its customers, including social engineering attacks, phishing attacks or physical attacks
  • Do not perform physical attacks against any Xsolla facility

Please make sure to use the User-Agent string xsolla-bugbounty-%your-email-before@% while testing

Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 15 requests per second to any particular service

Please note, use of scanning tools without the User-agent string above may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.

Once submitted, we will acknowledge that we have received your report with an automated reply to ask for more info if it is necessary, and will continue our conversation via email when/if applicable. We will then review the information and work to validate the reported bug. In the event that a true bug is discovered, we will notify you.


By submitting a bug report you agree to comply with the Xsolla Bounty Program Policy, which forbids public or private disclosure of the details of any vulnerability or bug on Xsolla before the 30 days after the bug has been fixed.

By participating in this program, you agree to adhere to the above rules and conditions. All rules must be followed to be eligible for rewards.

Please make sure to use this User-Agent string for testing:xsolla-bugbounty-%your-email-before@%Learn more...
Average response time: 48 hours