Legal

Security

Vulnerability Disclosure Policy

Reporting a Vulnerability

If you believe you have found a security vulnerability in Exoliner, please report it to us responsibly. We take all reports seriously and will respond as quickly as possible.

Send your report to:

[email protected]

Please include the following in your report:

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • The potential impact or severity
  • Any proof-of-concept or screenshots (if applicable)
  • Your contact information for follow-up

What to Expect

After submitting a vulnerability report, here is what you can expect:

1.

Acknowledgement

We will acknowledge receipt of your report within 48 hours.

2.

Assessment

Our team will investigate and validate the reported vulnerability.

3.

Resolution

We will work to fix the vulnerability and keep you informed of our progress. Resolution timelines depend on severity and complexity.

4.

Disclosure

Once resolved, we may coordinate public disclosure with you if appropriate.

Scope of Testing

Testing must be limited to assets owned and operated by Exoliner. The following domains and services are in scope:

exoliner.wtf
api.serverside.plus

Any assets not listed above are out of scope. Do not test against third-party services or infrastructure not controlled by Exoliner.

In Scope & Severity Classification

The following vulnerability types are in scope, classified by severity:

CRITICAL
  • Remote code execution (RCE)
  • SQL injection with data access
  • Authentication bypass (full account takeover)
  • Privilege escalation to admin
HIGH
  • Server-side request forgery (SSRF)
  • Insecure direct object references (IDOR) with sensitive data access
  • Stored cross-site scripting (XSS)
  • Sensitive data exposure (API keys, tokens, user PII)
  • Authorization bypass between users
MEDIUM
  • Reflected cross-site scripting (XSS)
  • Cross-site request forgery (CSRF) on sensitive actions
  • IDOR with limited impact
  • API abuse with demonstrable impact
LOW
  • Self-XSS or DOM-based XSS with limited reach
  • Information disclosure (non-sensitive)
  • CSRF on non-sensitive actions
  • Minor misconfigurations with limited exploitability

Out of Scope

The following are generally considered out of scope:

  • Denial of service (DoS/DDoS) attacks
  • Social engineering or phishing attacks against Exoliner staff or users
  • Physical attacks against Exoliner infrastructure
  • Vulnerabilities in third-party services or software not controlled by Exoliner
  • Reports from automated scanning tools without verified impact
  • Missing security headers without demonstrated exploit
  • Rate limiting issues, unless they demonstrate concrete abuse potential

Safe Harbor

We consider security research conducted in good faith to be authorized. We will not pursue legal action against researchers who comply with this policy and:

  • Make a good faith effort to avoid privacy violations, data destruction, and disruption of service
  • Limit testing to assets owned and operated by Exoliner and do not impact other users or production stability
  • Do not exploit a vulnerability beyond what is necessary to demonstrate the issue
  • Do not access, modify, or delete data belonging to other users
  • Do not attempt to access or download large amounts of data or any sensitive user information
  • Report vulnerabilities promptly and do not publicly disclose until we have had a reasonable time to address the issue
  • Do not use automated tools that generate excessive traffic or disruption

Rewards

Exoliner offers monetary rewards for valid vulnerability reports, scaled by severity. Rewards are paid at our discretion after the vulnerability has been confirmed and resolved.

Critical$100 – $200
High$50 – $100
Medium$15 – $50
LowUp to $15

Reward amounts are determined based on impact, exploitability, and quality of the report. The final amount is at Exoliner's sole discretion.

To be eligible for a reward, you must:

  • Be the first person to report the vulnerability
  • Comply with all terms of this disclosure policy
  • Provide a clear, reproducible report
  • Not be a current or former Exoliner staff member

Researchers may also be publicly acknowledged (with permission) for valid reports.

Contact

For all security-related inquiries, please contact:

Security Reports

[email protected]

General Support

[email protected]

We appreciate the security community's efforts in helping keep Exoliner and its users safe. Thank you for practicing responsible disclosure.