Skip to main content

Responsible Disclosure

CyberXtron takes the security of our platform seriously. We welcome responsible disclosure of security vulnerabilities from the security research community.

Scope

The following are in scope for our vulnerability disclosure program:

  • app.cyberxtron.com — Web application
  • api.cyberxtron.com — REST API
  • cyberxtron.com — Marketing site

Out of Scope

  • Third-party services and infrastructure (AWS, Cloudflare, etc.)
  • Social engineering attacks on CyberXtron employees
  • Physical security attacks
  • Denial of service attacks
  • Findings from automated scanners without validation

What to Report

We're interested in vulnerabilities such as:

  • Authentication and authorization bypasses
  • SQL injection, XSS, CSRF
  • Remote code execution
  • Sensitive data exposure
  • Business logic vulnerabilities affecting other users' data

How to Report

Send your findings to: security@cyberxtron.com

Please include:

  1. A clear description of the vulnerability
  2. Steps to reproduce
  3. Potential impact
  4. (Optional) Suggested fix

Encrypt your report using our PGP key if it contains sensitive information. Our PGP key is available at cyberxtron.com/pgp.

Our Commitments

When you report a valid vulnerability to us, we commit to:

  • Acknowledge receipt of your report within 2 business days
  • Confirm the vulnerability within 5 business days
  • Notify you when the vulnerability is fixed
  • Credit you in our Hall of Fame (if you wish)

Safe Harbor

We will not pursue legal action against security researchers who:

  • Report vulnerabilities in good faith following this policy
  • Do not access, modify, or delete user data
  • Do not disrupt the availability of our services
  • Disclose privately to us before any public disclosure

Hall of Fame

We publicly recognize researchers who responsibly disclose valid security issues:

No submissions yet — be the first!

Response Timeline

StageTarget Time
Acknowledgment2 business days
Initial assessment5 business days
Fix for Critical/High14 days
Fix for Medium30 days
Fix for Low90 days
warning

Do not publicly disclose the vulnerability before we've had a reasonable opportunity to fix it. We ask for a minimum of 90 days before public disclosure.