At Xistyl Private Limited (including its affiliates) (hereinafter referred to as ‘Xistyl’), we appreciate and encourage security researchers to contact us to report potential vulnerabilities identified in any product, system, or asset belonging to us.
In support, we have established a Responsible Disclosure Policy, also called a Vulnerability Disclosure Policy. This policy is designed to create a clear communication path around reporting and disclosing exploitable vulnerabilities in our systems.
We may modify and revise this policy at our sole discretion as we move forward into the future; please continue to check here for updates.
Rules of Engagement
Researchers submitting a vulnerability to Xistyl agree to be bound by the terms of the Responsible Disclosure Policy (hereinafter referred to as the ‘Terms’).
What is in scope and out of scope when discovering vulnerabilities is clearly mentioned and specified in the sections below.
Researchers shall ensure that they do not engage in privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
Researchers should only use/exploit to the extent necessary to confirm a vulnerability. Researchers should not use or exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use/exploit to “pivot” to other systems.
Once a researcher establishes that a vulnerability exists, or encounters any sensitive data, the researcher shall stop any further testing and notify Xistyl immediately. Researchers are required to keep any information about discovered vulnerabilities confidential even after submitting the vulnerability report.
Xistyl discourages violation of applicable laws and breach of any agreements in order to discover vulnerabilities and reserves the right to pursue legal action when the terms of this policy are violated or when testing is performed outside the scope of this policy. The decision made by our security team regarding validity, severity & impact of a vulnerability will be considered final and cannot be contested.
Xistyl may share your vulnerability reports with any affected partners, vendors or open source projects.
Authorization
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, will work with you to understand and resolve the issue quickly, and Xistyl will not initiate or recommend legal action related to your research.
If the identified vulnerability can be used to potentially extract information of our customers or systems, or impair our systems' ability to function normally, then please refrain from actually exploiting such a vulnerability. This is absolutely necessary for us to consider your disclosure a responsible one.
While we appreciate the inputs of researchers, we may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information, or impairing our systems. While we appreciate the inputs of researchers, we may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information or impairing our systems.
Policy Coverage Area
Following Mobile Apps and Websites under (or a sub-domain of) the domains are covered as part of this policy –
Xistyl.com
Xistyl Andriod App
Xistyl iOS App
If you encounter any vulnerability on our systems while testing within the scope of this policy, stop your test and notify us immediately.
Out of Scope Vulnerabilities
General software related bugs (like SSL, older versions etc.)
Vulnerabilities related to SPF/DMARC/DKIM records, which do not result in demonstrated compromise
Missing security headers etc. or other security best practices, which do not result in demonstrated compromise
Vulnerabilities related to outdated app versions or browsers – exploits/vulnerabilities related to current versions and only in the latest browser versions are accepted
Exploits that need MITM or physical access to the victim’s device
Clickjacking related submissions
Unauthenticated/logout/login CSRF
Previously known vulnerable libraries without a working Proof of Concept
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Open redirect
Missing CAA headers
Stack traces, directory listings or path disclosure
Self XSS
Social engineering attacks, both against users or employees
Issues on non-company assets like GitHub, Cloud Providers or others, which Xistyl may be using
Forgot Password page brute-force and account lockout not enforced
Lack of Captcha
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
Session Timeouts
Host Header Injection
Exposed API keys without clear demonstration of security impact
Specifically, exposed Google Map APIs keys and keys in Android XML files are out of scope for now
General Rules - Do’s & Don’t
Do not launch Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
Automated tools or scripts are strictly prohibited.
Any POC submitted should have a proper step-by-step guide to reproduce the issue. As stated above, abuse of any vulnerability found shall be liable for legal penalties.
Make every effort to avoid - privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
Do not attempt to gain access to any other person’s account, data or personal information.
Do use their real email address to report any vulnerability information to us.
Keep information about any vulnerabilities you have discovered confidential between yourself and Xistyl. The Researcher shall not publicly disclose the bug or vulnerability on any online or physical platform before it is fixed and prior written approval to publicly disclose obtained from Xistyl.
Do not use scanners or automated tools to find vulnerabilities.
As a security researcher, you represent and warrant that you have the right, title and interest to disclose any vulnerability found and to submit any information, including documents, codes, among others, in connection therewith. Once you inform a vulnerability, you grant Xistyl, its subsidiaries and affiliates an irrevocable, worldwide, royalty-free, transferable, sublicensable right to use in any way Xistyl deems appropriate for any purpose. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure accepted by Xistyl.
Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
How to report
Individual Details:
Full Name
Mobile Number
Any Public profile (Twitter, LinkedIn, Github etc.)
Bug Details:
Name of the Vulnerability
Affected Application
Vulnerable Endpoint & Parameter
Impact
Detailed steps to reproduce
Remediation
Please keep your vulnerability reports current by sending us any new information as it becomes available. We may share your vulnerability reports with any affected partners, vendors or open-source projects.
Recognition
By helping us continuously keep our data secure, once the security vulnerability is verified and fixed as a result of the report, we would like to put your name on our “Security Hall of Fame” page present at
https://www.xistyl.com/hall-of-fame
.
We may at our sole discretion send out Xistyl Swag in some cases.
Eligibility for Recognition
Must be the first person to responsibly disclose the vulnerability.
Vulnerability discovered must be found when testing within the scope of this policy.
Reported vulnerability significantly impacts security and integrity of Xistyl services or impacts the privacy of customer or partner data.
Xistyl may at its sole discretion rate vulnerabilities as critical, high, medium and low. Only vulnerabilities rated critical and high are eligible for the Security Hall of Fame (https://www.xistyl.com/hall-of-fame).