Security

The Program

Important: This program is not intended for non-security related issues in the web interface or any of our products. For those, please create a regular support ticket, and we will assist you as soon as possible.

If you follow the rules of this program, no legal action will be taken. You should receive an initial response within 72 hours.

Eligibility

You must be the first person to report the vulnerability.
Keep all report information confidential. If you want to disclose it publicly, consult with us first.
Make a good faith effort to avoid privacy violations, destruction of data, or service interruption/degradation. Do not access sensitive data unless necessary to confirm the vulnerability (e.g., use IDs instead of dumping /etc/passwd). If critical data is accessed, describe the scenario in your report.
Report the vulnerability as soon as possible after discovery.
Do not use automated tools (e.g., SQLMap).
Provide a clear proof of concept (PoC) demonstrating the impact and steps to reproduce the issue.
Create a maximum of two accounts for testing purposes.

Reporting & Bounty

Report vulnerabilities by creating a ticket and selecting “Security Vulnerability” as the reference. This allows us to assign and process your report efficiently.
Send only one vulnerability per report. Do not submit vulnerabilities via email or other channels.
In reward for helping us strengthen security and protect our customers’ data, we may assign a bounty reward for your contribution.

Scope

The following are in-scope targets:

xmbhosting.com
rest.xmbhosting.com
Servers within the Xmbhosting network that are not customer-owned

Exclusions

The following are out of scope:

Denial of service (DoS) attacks
Spamming
Social engineering (including phishing) of Xmbhosting staff or data centers
Physical attacks on Xmbhosting properties or data centers
Missing cookie flags on non-sensitive cookies
CSRF without a clear PoC demonstrating security impact
Information disclosure of non-sensitive data
Descriptive error messages (e.g., stack traces)
Open redirects without PoC showing critical impact
Reports on outdated software versions without PoC
Captcha bypass
Self-XSS without PoC demonstrating impact on other users
Missing HTTP security headers
Issues only reproducible in extremely outdated browsers
Recently disclosed 0-day vulnerabilities in common CMS like WordPres

Note: If you find a vulnerability listed above or not specifically in scope but believe it has reasonable security impact, please report it. We will review all submissions.

Questions

For any questions regarding the program, contact us at:
info@xmbhosting.com (please do not report vulnerabilities to this address)

Name	Provider	Expiration	Purpose
_cfduid	CloudFlare Inc	1 Year	Static file delivery
laravel_session	XMBHosting	Session	Identifies a session instance for a user
XSRF-TOKEN	XMBHosting	Session	Prevent cross-site request forgery (CSRF) attacks
laravel_token	XMBHosting	Session	API authentication

Name	Provider	Expiration	Purpose
filter_orders	XMBHosting	Session	Set preffered order status
<-article->-feedback	XMBHosting	Session	Collect Article Feedback
affiliate	XMBHosting	Session	Track users invited by affiliates
affiliate_invite	XMBHosting	Session	Keep track of affiliate invites

Info

How much do you want to add?