Please review the scope carefully. Please submit all vulnerabilities via email to security@xtrm.com.
Reward
Where monetary bounty is presented, eligible reports will be awarded based on severity as determined by CVSS v3.0. Bounty amounts above represent the minimum award for each severity category and are scaled based on CVSS v3.0 scores. Any vulnerabilities which require an attacker to be logged into an account are considered to have "low" Privileges Required.
Scope
www.xtrm.com and all subdomains *.xtrm.com are considered in-scope unless specified as out-of-scope in the following list.
The following domains are considered out-of-scope and are not eligible for reward.
blog.xtrm.com
sandboxblog.xtrm.com
apidoc.xtrm.com
notifications.xtrm.com
sales.xtrm.com
bounces.xtrm.com
developersupport.xtrm.com
salesrepsupport.xtrm.com
support.xtrm.com
xtrmsupport.xtrm.com
Access
Please use our sandbox environment for account creation and testing purposes.
Individual user accounts can be created for testing here
Company accounts can be created here
Company accounts need our approval for creation so please contact us at security@xtrm.com detailing the company name, and email used to sign up and we can approve the account creation.
Policy
Our team of dedicated security professionals works vigilantly to help keep customer information secure. We recognize the important role that security researchers and our user community play in helping to keep XTRM and our customers secure. If you discover a site or product vulnerability please notify us using the guidelines below.
Program Terms
Please note that your participation in the Bug Bounty Program is voluntary and subject to the terms and conditions set forth on this page (“Program Terms”). By submitting a site or product vulnerability to XTRM, Inc. (“XTRM”) you acknowledge that you have read and agreed to these Program Terms.
These Program Terms supplement the terms of XTRM User Agreement, the XTRM Acceptable Use Policy, and any other agreement in which you have entered with XTRM (collectively “XTRM Agreements”). The terms of those XTRM Agreements will apply to your use of, and participation in, the Bug Bounty Program as if fully set forth herein. If any inconsistency exists between the terms of the XTRM Agreements and these Program Terms, these Program Terms will control, but only with regard to the Bug Bounty Program.
To encourage responsible disclosures, XTRM commits that, if we conclude, in our sole discretion, that a disclosure respects and meets all the guidelines of these Program Terms and the XTRM Agreements, XTRM will not bring a private action against you or refer a matter for public inquiry.
As part of your research, do not modify any files or data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.
Eligibility Requirements
To be eligible for the Bug Bounty Program, you must not:
Be a resident of, or make your Submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria);
Be in violation of any national, state, or local law or regulation;
Be employed by XTRM, Inc. or its subsidiaries;
Be an immediate family member of a person employed by XTRM, Inc. or its subsidiaries or affiliates; or
Be less than 14 years of age. If you are at least 14 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating in the program.
If XTRM discovers that you meet any of the criteria above, XTRM will remove you from the Bug Bounty Program and disqualify you from receiving any Bounty Payments.
Disclosure Guidelines
By providing a Submission or agreeing to the Program Terms, You agree that you may not publicly disclose your findings or the contents of your Submission to any third parties in any way without XTRM’s prior written approval.
Failure to comply with the Program Terms will result in immediate disqualification from the Bug Bounty Program and ineligibility for receiving any Bounty Payments.
Scope for Web Applications
In-Scope Vulnerabilities
Accepted, in-scope vulnerabilities include, but are not limited to:
Log4Shell
Log4Shell RCEs, Data Exfil, WAF bypass will be treated as high or critical based on severity
Ping-backs where you can Interpolate the environment, hostname, IP address, or date or time are rated a medium
If a reproducible proof of concept is not included the report will be closed as informative
Disclosure of sensitive or personally identifiable information
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF) for sensitive functions in a privileged context
Server-side or remote code execution (RCE)
Authentication or authorization flaws, including insecure direct object references and authentication bypass
Injection vulnerabilities, including SQL and XML injection
Directory traversal
Significant security misconfiguration with a verifiable vulnerability
Exposed credentials, disclosed by XTRM or its employees, that pose a valid risk to an in scope asset
Out-of-Scope Vulnerabilities
Certain vulnerabilities are considered out-of-scope for the Bug Bounty Program. Those out-of-scope vulnerabilities include, but are not limited to:
Any physical attacks against XTRM property or data centers
Reports that involve a secondary user account where an existing business relationship is being leveraged and the impact is limited solely to the parent account
Username enumeration on customer facing systems (i.e. using server responses to determine whether a given account exists)
Attacks involving payment fraud, theft, or malicious merchant accounts
Man-in-the-Middle attacks
Vulnerabilities involving stolen credentials or physical access to a device
Social engineering attacks, including those targeting or impersonating internal employees by any means (e.g. customer service chat features, social media, personal domains, etc.)
Open redirection, except in the following circumstances:
Clicking a XTRM-owned URL immediately results in a redirection, and/or
A redirection results in the loss of sensitive data (e.g. session tokens, PII, etc)
Host header injections without a specific, demonstrable impact
Scanner output or scanner-generated reports
Vulnerabilities found through DDoS or spam attacks. If you discover a vulnerability and believe it can cause DoS (for example, a logical flaw or known CVE), please submit it and we will review on a case-by-case basis. Do not attempt or execute DDoS attacks.
Self-XSS, which includes any payload entered by the victim
Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls
Login/logout CSRF
Content spoofing without embedding an external link or JavaScript
Vulnerabilities only affecting users of outdated, unpatched, or unsupported browsers and platforms, including any version of Internet Explorer
Vulnerabilities that only affect one browser will be considered on a case-by-case basis, and may be closed as informative due to the reduced attack surface
Information disclosure of public or non-protected information (e.g. code in a public repository, server banners, etc.), or information disclosed outside of XTRM's control (e.g. a personal, non-employee repository; a list from a previous infodump; etc.)
Exposed credentials that are either no longer valid, or do not pose a risk to an in scope asset
Any XSS that requires Flash. Flash is disabled by default in most modern browsers, thus greatly reducing the attack surface and associated risk.
Any other submission determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact
Vulnerabilities on third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)
Bug Submission Requirements
All submissions must be sent to security@xtrm.com and meet the following requirements.
Required information
For all submissions, please include:
Full description of the vulnerability being reported, including the exploitability and impact
Evidence and explanation of all steps required to reproduce the submission, which may include:
Videos
Screenshots
Exploit code
Traffic logs
Web/API requests and responses
Email address or user ID of any test accounts
IP address used during testing
For RCE submissions, see below
Failure to include any of the above items may delay or jeopardize the Bounty Payment
Remote Code Execution (RCE) Submission Guidelines:
Failure to meet the below conditions and requirements could result in a forfeiture of any potential Bounty Payment.
Source IP address
Timestamp, including time zone
Full server request and responses
Filenames of any uploaded files, which must include “bugbounty” and the timestamp
Callback IP and port, if applicable
Any data that was accessed, either deliberately or inadvertently
Allowed Actions:
Directly injecting benign commands via the web application or interface (e.g. whoami, hostname, ifconfig)
Uploading a file that outputs the result of a hard-coded benign command
Prohibited Actions:
Uploading files that allow arbitrary commands (i.e. a webshell)
Modifying any files or data, including permissions
Deleting any files or data
Interrupting normal operations (e.g. triggering a reboot)
Creating and maintaining a persistent connection to the server
Intentionally viewing any files or data beyond what is needed to prove the vulnerability
Failing to disclose any actions taken or applicable required information
Bounty Payments
You may be eligible to receive a monetary reward (“Bounty Payment”) if: (i) you are the first person to submit a site or product vulnerability; (ii) that vulnerability is determined to by a valid security issue by XTRM’s security team; and (iii) you have complied with all Program Terms. Bounty Payments, if any, will be determined by XTRM, in XTRM’s sole discretion. In no event shall XTRM be obligated to pay you a bounty for any Submission. All Bounty Payments shall be considered gratuitous.
All Bounty Payments will be made in United States dollars (USD). You will be responsible for any tax implications related to Bounty Payments you receive, as determined by the laws of your jurisdiction of residence or citizenship.
XTRM will determine all Bounty Payments based on the risk and impact of the vulnerability. The minimum bounty amount for a validated bug submission is $50 USD and the maximum bounty for a validated bug submission is $1,000 USD.
XTRM Bug Bounty Team retains the right to determine if the bug submitted to the Bug Bounty Program is eligible. All determinations as to the amount of a bounty made by the XTRM Bug Bounty Team are final. Bounty Payment ranges are based on the classification and sensitivity of the data impacted, ease of exploit and overall risk to XTRM customers, XTRM brand and determined to be a valid security issue by XTRM’s security engineers.
Ownership of Submissions
As a condition of participation in the XTRM Bug Bounty Program, you hereby grant XTRM, its subsidiaries, affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to XTRM in connection therewith, for any purpose. You should not send us any Submission that you do not wish to license to us. You hereby represent and warrant that the Submission is original to you and you own all right, title and interest in and to the Submission. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the Submission to XTRM. In no event shall XTRM be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials which are competitive with those set forth in the Submission irrespective of their similarity to the information in the Submission, so long as XTRM complies with the terms of participation stated herein.
Termination
In the event (i) you breach any of these Program Terms or the terms and conditions of the XTRM Agreements; or (ii) XTRM determines, in its sole discretion that your continued participation in the Bug Bounty Program could adversely impact XTRM (including, but not limited to, presenting any threat to XTRM’s systems, security, finances and/or reputation) XTRM may immediately terminate your participation in the Bug Bounty Program and disqualify you from receiving any Bounty Payments. Please see our recommendations on the proper procedures for testing our applications.
Confidentiality
Any information you receive or collect about XTRM or any XTRM user through the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the XTRM sites, without XTRM’s prior written consent.
Indemnification
In addition to any indemnification obligations you may have under the XTRM Agreements, you agree to defend, indemnify and hold XTRM, its subsidiaries, affiliates and the officers, directors, agents, joint ventures, employees and suppliers of XTRM, its subsidiaries, or our affiliates, harmless from any claim or demand (including attorneys’ fees) made or incurred by any third party due to or arising out of your Submissions, your breach of these Program Terms and/or your improper use of the Bug Bounty Program.
Changes to Program Terms
The Bug Bounty Program, including its policies, is subject to change or cancellation by XTRM at any time, without notice. As such, XTRM may amend these Program Terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the Bug Bounty Program after XTRM posts any such changes, you accept the Program Terms, as modified.