Security policy
This is a vulnerability disclosure program for all of our services and systems.Disclosure policy
We will investigate legitimate reports and make every effort to quickly resolve any vulnerability. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you providing you comply with the following guideline:Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
It is also important to note, we will not take legal action against you simply for providing us with a proof of concept of the security vulnerability. Please follow the guidelines listed in the Proof of concepts section below to ensure that your proof of concept is detailed enough to demonstrate the issue and still follows the guideline listed above.
If you have any questions or concerns about about this disclosure policy, please do not hesitate to contact us via email at security@xpos. nl
Proof of concepts
| Issue type | When to report the issue |
| XSS | For XSS, a simple alert(document.domain) should suffice. |
| RCE | Please only execute harmless code. Simply printing something or evaluating an expression should be enough to demonstrate the issue. |
| SQLi | Report it as soon as you have a SQL error that indicates SQL injection. |
| Unvalidated redirect | Set the redirect endpoint to http://example.com. |
| CSRF | Either attach a file to demonstrate the issue or paste the code in a code block in your report. |
| SSRF | Either attach a file to demonstrate the issue or paste the code in a code block in your report. Please do not go against the guideline listed in the Disclosure policy section. |
| LFI | Same as SSRF. |
For issue types not mentioned try to adhere to the guide line and minimize the impact/disclosure.
Rewards
We are currently not actively offering financial rewards, but depending on the severity or impact of a valid report we are willing to pay a reasonable fee.