XXenith

Responsible Disclosure Policy

Last updated: June 29, 2026

1. Introduction

We value the security community and welcome reports of potential vulnerabilities from security researchers. This policy explains how to report issues to us safely and what you can expect in return.

2. How to Report

Please email security@xenith.life with a clear description of the issue. Where possible, include:

  • The type of vulnerability and the affected URL or component.
  • Step-by-step instructions to reproduce, and any proof-of-concept.
  • The potential impact, as you understand it.

We aim to acknowledge reports within 5 business days and to keep you informed as we investigate and remediate.

3. Guidelines for Researchers

To keep research safe and lawful, we ask that you:

  • Make a good-faith effort to avoid privacy violations, data destruction, and interruption or degradation of our Service.
  • Only interact with accounts you own or have explicit permission to test. Do not access, modify, or delete other users' data.
  • Do not run automated scanning that generates excessive traffic, or perform denial-of-service, social engineering, or physical attacks.
  • Give us a reasonable amount of time to remediate before public disclosure, and do not disclose details publicly without our prior written consent.

4. Safe Harbor

If you make a good-faith effort to comply with this policy during your research, we will consider your actions authorized, will not pursue or support legal action against you, and will work with you to understand and resolve the issue quickly. If legal action is initiated by a third party against you for activity conducted under this policy, we will make this authorization known.

5. Out of Scope

Reports limited to the following generally do not qualify: missing best-practice headers without a demonstrated exploit, reports from automated tools without validation, social engineering of our staff or users, and vulnerabilities in third-party services we do not control (please report those to the relevant provider).

6. Rewards

Xenith does not currently operate a paid bug bounty program. We are grateful for responsible reports and are happy to publicly credit researchers who wish to be recognized.