Vulnerability Disclosure Policy

At Exploitless, security is our core business and responsibility.

We value the global security research community and encourage responsible disclosure of vulnerabilities that may affect our infrastructure, platforms, tools, or services.

This policy outlines how to report vulnerabilities, what researchers can expect from us, and the rules of engagement.

1. Scope

This policy applies to vulnerabilities discovered in systems owned or operated by Exploitless, including:

  • exploitless.com
  • Subdomains operated by Exploitless
  • Client portals or dashboards we host
  • Public infrastructure and APIs
  • Security tools or platforms we develop

If you are unsure whether a system is in scope, contact us before testing.

2. Out-of-Scope Targets

Unless explicitly authorized in writing, the following are out of scope:

  • Client smart contracts audited by Exploitless
  • Client infrastructure or applications
  • Third-party integrations or vendors
  • Social engineering attacks
  • Physical security testing
  • Denial-of-service (DoS / DDoS) attacks
  • Spam or phishing attempts

Testing client systems without permission may be illegal.

3. How to Report a Vulnerability

Please submit reports via email:

support@exploitless.com

Include:

  • Detailed vulnerability description
  • Steps to reproduce
  • Proof-of-concept (PoC) if available
  • Affected URLs, systems, or endpoints
  • Screenshots, logs, or technical evidence
  • Your contact information

We encourage encrypted submissions where possible.

4. Responsible Disclosure Guidelines

We ask researchers to:

  • Act in good faith
  • Avoid privacy violations
  • Avoid data destruction or modification
  • Avoid service disruption
  • Test only what is necessary to prove the issue
  • Not access other users' data

Do not publicly disclose vulnerabilities before coordinated resolution.

5. Safe Harbor

Exploitless will not pursue legal action against researchers who:

  • Follow this policy in good faith
  • Avoid privacy invasion or service disruption
  • Do not exploit vulnerabilities beyond proof-of-concept

We consider such research authorized.

However, activities exceeding these boundaries may result in legal action.

6. Our Commitment

When you submit a valid report, we commit to:

  • Acknowledge receipt as soon as possible
  • Investigate the report promptly
  • Provide status updates where possible
  • Work toward remediation in a reasonable timeframe
  • Credit researchers publicly (if desired)

7. Disclosure Timeline

We follow coordinated disclosure principles:

  • Issues are fixed before public disclosure
  • Researchers agree to reasonable remediation time
  • Public write-ups are coordinated mutually

If a fix is not possible quickly, temporary mitigations may be applied.

8. Rewards & Bounties

At this time, Exploitless does not operate a public bug bounty program.

However, we may offer discretionary rewards for:

  • Critical vulnerabilities
  • High-quality reports
  • Novel attack vectors

Rewards, if granted, are determined case-by-case.

9. Confidentiality

All vulnerability reports are treated as confidential.

We will not disclose researcher identities without permission, except where required by law.

10. Legal Compliance

By participating in this disclosure process, you agree to comply with all applicable laws and regulations.

Unauthorized testing outside this policy's scope is strictly prohibited.

11. Policy Updates

Exploitless may update this Vulnerability Disclosure Policy periodically.

The latest version will always be available on our website.

12. Contact

Security reports and inquiries:

Exploitless Security Team

Email: support@exploitless.com

Note: We take all security reports seriously. Your contribution helps us maintain the highest standards of security for our clients and the broader blockchain ecosystem.