Please review the scope carefully. All vulnerabilities must be submitted through the Xtrm Bug Bounty Portal at bugbounty.xtrm.com. Submissions are no longer accepted by email; reports sent to security@xtrm.com may not be tracked. You may still contact our security team at security@xtrm.com with questions about the program.

Reward

Where monetary bounty is presented, eligible reports will be awarded based on severity as determined by CVSS v3.1. Bounty amounts below represent the minimum award for each severity category and are scaled based on CVSS v3.1 scores. Any vulnerabilities which require an attacker to be logged into an account are considered to have "low" Privileges Required.

Scope

www.xtrm.com and all subdomains *.xtrm.com are considered in-scope unless specified as out-of-scope in the following list.

The following domains are considered out-of-scope and are not eligible for reward.

• blog.xtrm.com

• sandboxblog.xtrm.com

• apidoc.xtrm.com

• notifications.xtrm.com

• sales.xtrm.com

• bounces.xtrm.com

• developersupport.xtrm.com

• salesrepsupport.xtrm.com

• support.xtrm.com

• bugbounty.xtrm.com

• xtrmsupport.xtrm.com

Also out of scope are the following website elements.

• Support / sales chatbot
• Contact us forms

Access

Please use our sandbox environment for all account creation and testing purposes. You can register and manage your testing accounts directly in the Bug Bounty Portal:

• Individual (personal) sandbox accounts can be created and used for testing immediately. .

• Company (sandbox) accounts require our approval. Request approval from within the portal, or contact us at security@xtrm.com, detailing the company name and the email used to sign up, and we will review the account for approval.

Getting Started

To participate in the program:

• Create your researcher account at bugbounty.xtrm.com using the email address you want associated with your submissions and rewards.
• Verify your email address to activate your account.
• Register any sandbox testing accounts you intend to use, and request approval for company accounts where required.
• Submit each vulnerability through the portal, completing all required fields.

Tracking and Communication

Once you submit a vulnerability through the portal, you can track its status and communicate directly with the Xtrm security team from within the portal. Please keep all communication regarding a submission inside the portal so that it remains associated with the correct report.

Policy

Our team of dedicated security professionals works vigilantly to help keep customer information secure. We recognize the important role that security researchers and our user community play in helping to keep Xtrm and our customers secure. If you discover a site or product vulnerability, please notify us using the guidelines below.

Program Terms

Please note that your participation in the Bug Bounty Program is voluntary and subject to the terms and conditions set forth on this page (“Program Terms”). By submitting a site or product vulnerability to Xtrm, Inc. (“Xtrm”) you acknowledge that you have read and agreed to these Program Terms.

These Program Terms supplement the terms of the Xtrm User Agreement, the Xtrm Acceptable Use Policy, and any other agreement in which you have entered with Xtrm (collectively “Xtrm Agreements”). The terms of those Xtrm Agreements will apply to your use of, and participation in, the Bug Bounty Program as if fully set forth herein. If any inconsistency exists between the terms of the Xtrm Agreements and these Program Terms, these Program Terms will control, but only with regard to the Bug Bounty Program.

To encourage responsible disclosures, Xtrm commits that, if we conclude, in our sole discretion, that a disclosure respects and meets all the guidelines of these Program Terms and the Xtrm Agreements, Xtrm will not bring a private action against you or refer a matter for public inquiry.

As part of your research, do not modify any files or data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.

Eligibility Requirements

To be eligible for the Bug Bounty Program, you must not:

• Be a resident of, or make your Submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria);
• Be in violation of any national, state, or local law or regulation;
• Be employed by Xtrm, Inc. or its subsidiaries;
• Be an immediate family member of a person employed by Xtrm, Inc. or its subsidiaries or affiliates; or
• Be less than 14 years of age. If you are at least 14 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating in the program.

If Xtrm discovers that you meet any of the criteria above, Xtrm will remove you from the Bug Bounty Program and disqualify you from receiving any Bounty Payments.

Disclosure Guidelines

By providing a Submission or agreeing to the Program Terms, you agree that you may not publicly disclose your findings or the contents of your Submission to any third parties in any way without Xtrm’s prior written approval.

Failure to comply with the Program Terms will result in immediate disqualification from the Bug Bounty Program and ineligibility for receiving any Bounty Payments.

Scope for Web Applications

In-Scope Vulnerabilities

Accepted, in-scope vulnerabilities include, but are not limited to:

• Log4Shell
  • Log4Shell RCEs, Data Exfil, and WAF bypass will be treated as high or critical based on severity
  • Ping-backs where you can interpolate the environment, hostname, IP address, or date or time are rated a medium
  • If a reproducible proof of concept is not included, the report will be closed as informative
• Disclosure of sensitive or personally identifiable information
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF) for sensitive functions in a privileged context
• Server-side or remote code execution (RCE)
• Authentication or authorization flaws, including insecure direct object references and authentication bypass
• Injection vulnerabilities, including SQL and XML injection
• Directory traversal
• Significant security misconfiguration with a verifiable vulnerability
• Exposed credentials, disclosed by Xtrm or its employees, that pose a valid risk to an in-scope asset

Out-of-Scope Vulnerabilities

Certain vulnerabilities are considered out-of-scope for the Bug Bounty Program. Those out-of-scope vulnerabilities include, but are not limited to:

• Any physical attacks against Xtrm property or data centers
• Reports that involve a secondary user account where an existing business relationship is being leveraged and the impact is limited solely to the parent account
• Username enumeration on customer facing systems (i.e. using server responses to determine whether a given account exists)
• Attacks involving payment fraud, theft, or malicious merchant accounts
• Man-in-the-Middle attacks
• Vulnerabilities involving stolen credentials or physical access to a device
• Social engineering attacks, including those targeting or impersonating internal employees by any means (e.g. customer service chat features, social media, personal domains, etc.)
• Open redirection, except in the following circumstances:
  • Clicking an Xtrm-owned URL immediately results in a redirection, and/or
  • A redirection results in the loss of sensitive data (e.g. session tokens, PII, etc.)
• Host header injections without a specific, demonstrable impact
• Scanner output or scanner-generated reports
• Vulnerabilities found through DDoS or spam attacks. If you discover a vulnerability and believe it can cause DoS (for example, a logical flaw or known CVE), please submit it and we will review on a case-by-case basis. Do not attempt or execute DDoS attacks.
• Self-XSS, which includes any payload entered by the victim
• Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls
• Login/logout CSRF
• Content spoofing without embedding an external link or JavaScript
• Vulnerabilities only affecting users of outdated, unpatched, or unsupported browsers and platforms, including any version of Internet Explorer
• Vulnerabilities that only affect one browser will be considered on a case-by-case basis, and may be closed as informative due to the reduced attack surface
• Information disclosure of public or non-protected information (e.g. code in a public repository, server banners, etc.), or information disclosed outside of Xtrm’s control (e.g. a personal, non-employee repository; a list from a previous infodump; etc.)
• Exposed credentials that are either no longer valid, or do not pose a risk to an in-scope asset
• Any XSS that requires Flash. Flash is disabled by default in most modern browsers, thus greatly reducing the attack surface and associated risk.
• Any other submission determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact
• Vulnerabilities on third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)

Bug Submission Requirements

All submissions must be made through the Bug Bounty Portal at bugbounty.xtrm.com and must meet the following requirements.

Required Information

For all submissions, please complete all required fields in the portal, including:

• Full description of the vulnerability being reported, including the exploitability and impact
• Evidence and explanation of all steps required to reproduce the submission, which may include videos, screenshots, exploit code, traffic logs, and web/API requests and responses
• Email address or user ID of any test accounts
• IP address used during testing
• For RCE submissions, see the guidelines below

Failure to include any of the above items may delay or jeopardize the Bounty Payment.

Remote Code Execution (RCE) Submission Guidelines

Failure to meet the below conditions and requirements could result in a forfeiture of any potential Bounty Payment. Please include:

• Source IP address
• Timestamp, including time zone
• Full server request and responses
• Filenames of any uploaded files, which must include “bugbounty” and the timestamp
• Callback IP and port, if applicable
• Any data that was accessed, either deliberately or inadvertently

Allowed Actions:

• Directly injecting benign commands via the web application or interface (e.g. whoami, hostname, ifconfig)

• Uploading a file that outputs the result of a hard-coded benign command

Prohibited Actions:

• Uploading files that allow arbitrary commands (i.e. a webshell)
• Modifying any files or data, including permissions
• Deleting any files or data
• Interrupting normal operations (e.g. triggering a reboot)
• Creating and maintaining a persistent connection to the server
• Intentionally viewing any files or data beyond what is needed to prove the vulnerability
• Failing to disclose any actions taken or applicable required information

Bounty Payments

You may be eligible to receive a monetary reward (“Bounty Payment”) if: (i) you are the first person to submit a site or product vulnerability; (ii) that vulnerability is determined to be a valid security issue by Xtrm’s security team; and (iii) you have complied with all Program Terms. Bounty Payments, if any, will be determined by Xtrm, in Xtrm’s sole discretion. In no event shall Xtrm be obligated to pay you a bounty for any Submission. All Bounty Payments shall be considered gratuitous.

All Bounty Payments will be made in United States dollars (USD) to your Xtrm individual user wallet, and only once your account identity level reaches 100%. You will be responsible for any tax implications related to Bounty Payments you receive, as determined by the laws of your jurisdiction of residence or citizenship.

Xtrm will determine all Bounty Payments based on the risk and impact of the vulnerability. The minimum bounty amount for a validated bug submission is $50 USD and the maximum bounty for a validated bug submission is $1,000 USD.

The Xtrm Bug Bounty Team retains the right to determine if the bug submitted to the Bug Bounty Program is eligible. All determinations as to the amount of a bounty made by the Xtrm Bug Bounty Team are final. Bounty Payment ranges are based on the classification and sensitivity of the data impacted, ease of exploit, and overall risk to Xtrm customers and the Xtrm brand, and are determined to be a valid security issue by Xtrm’s security engineers.

Ownership of Submissions

As a condition of participation in the Xtrm Bug Bounty Program, you hereby grant Xtrm, its subsidiaries, affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferable, sublicensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Xtrm in connection therewith, for any purpose. You should not send us any Submission that you do not wish to license to us. You hereby represent and warrant that the Submission is original to you and you own all right, title and interest in and to the Submission. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the Submission to Xtrm. In no event shall Xtrm be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials which are competitive with those set forth in the Submission irrespective of their similarity to the information in the Submission, so long as Xtrm complies with the terms of participation stated herein.

Termination

In the event (i) you breach any of these Program Terms or the terms and conditions of the Xtrm Agreements; or (ii) Xtrm determines, in its sole discretion, that your continued participation in the Bug Bounty Program could adversely impact Xtrm (including, but not limited to, presenting any threat to Xtrm’s systems, security, finances and/or reputation), Xtrm may immediately terminate your participation in the Bug Bounty Program and disqualify you from receiving any Bounty Payments. Please see our recommendations on the proper procedures for testing our applications.

Confidentiality

Any information you receive or collect about Xtrm or any Xtrm user through the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the Xtrm sites, without Xtrm’s prior written consent.

Indemnification

In addition to any indemnification obligations you may have under the Xtrm Agreements, you agree to defend, indemnify and hold Xtrm, its subsidiaries, affiliates and the officers, directors, agents, joint ventures, employees and suppliers of Xtrm, its subsidiaries, or our affiliates, harmless from any claim or demand (including attorneys’ fees) made or incurred by any third party due to or arising out of your Submissions, your breach of these Program Terms and/or your improper use of the Bug Bounty Program.

Changes to Program Terms

The Bug Bounty Program, including its policies, is subject to change or cancellation by Xtrm at any time, without notice. As such, Xtrm may amend these Program Terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the Bug Bounty Program after Xtrm posts any such changes, you accept the Program Terms, as modified.