Report Security
Vulnerabilities
We take security seriously at CyberX. If you've discovered a security vulnerability in our systems, we encourage you to report it responsibly. We appreciate your help in keeping our services secure.
Our Commitment
When you report a security vulnerability to us in good faith, we commit to:
- Acknowledge receipt of your report within 48 hours
- Keep you informed of our progress in addressing the vulnerability
- Work with you to understand and resolve the issue quickly
- Not pursue legal action against researchers who follow responsible disclosure
- Credit you for your discovery (if desired) once the issue is resolved
How to Report
Please send security vulnerability reports to:
Your report should include:
- A clear description of the vulnerability
- Steps to reproduce the issue
- The potential impact of the vulnerability
- Any supporting evidence (screenshots, logs, proof of concept)
- Your contact information for follow-up
- Whether you wish to be credited for the discovery
Encryption: For sensitive reports, please request our PGP public key for encrypted communication.
In Scope
We're interested in vulnerabilities affecting:
- cyberxhubs.com and all subdomains
- CyberX web applications and APIs
- Authentication and authorization mechanisms
- Data handling and storage
- Payment processing systems
- Security Scanner tool
Examples of qualifying vulnerabilities:
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- SQL Injection
- Remote Code Execution
- Authentication/Authorization bypass
- Sensitive data exposure
- Server-Side Request Forgery (SSRF)
- Insecure Direct Object References
Out of Scope
The following are not considered qualifying vulnerabilities:
- Denial of Service (DoS/DDoS) attacks
- Social engineering or phishing attacks against our staff
- Physical attacks against our offices or data centers
- Spam or social engineering techniques
- Clickjacking on pages with no sensitive actions
- Missing security headers that don't lead to exploitable vulnerabilities
- Software version disclosure
- Self-XSS (requiring user interaction)
- Issues in third-party services or applications
- Theoretical vulnerabilities without proof of concept
- Reports from automated scanners without manual verification
Responsible Disclosure Guidelines
When researching vulnerabilities, please:
- Do: Make a good faith effort to avoid privacy violations, data destruction, and service disruption
- Do: Only interact with accounts you own or have explicit permission to test
- Do: Stop testing and report immediately if you access sensitive data
- Do: Give us reasonable time to fix the issue before public disclosure
- Don't: Access, modify, or delete data that doesn't belong to you
- Don't: Perform actions that could harm users or our services
- Don't: Publicly disclose the vulnerability before it's fixed
Response Timeline
Recognition
We value security researchers who help us keep CyberX secure. For qualifying reports, we offer:
- Public acknowledgment on our security page (if desired)
- A letter of recognition for your portfolio
- Consideration for our Hall of Fame
- Professional networking opportunities
Note: At this time, we do not offer monetary bounties, but we deeply appreciate the security community's efforts in helping us maintain a secure platform.
Legal Safe Harbor
If you conduct security research in accordance with this policy, we will:
- Consider your research authorized under the Computer Misuse Act 1990
- Not pursue civil or criminal action against you
- Work with you in good faith to resolve the issue
This safe harbor applies only to research conducted in compliance with the guidelines outlined in this policy.