Responsible disclosure.

We build a security platform. Of course we have a disclosure programme.

If you believe you have discovered a security vulnerability affecting the Hax platform, its marketing surface, or any XContent infrastructure, we would like to hear from you.

How to report

• Email security@xcontent.com
• PGP key fingerprint published in our security.txt
• Subject line should start with [disclosure]

What to include

• A clear description of the issue
• Steps to reproduce, including affected URLs / endpoints
• Your assessment of impact
• Whether you would like public credit (and how to attribute)

What to expect

• Acknowledgement within 2 business days
• Initial assessment within 7 business days
• Remediation timeline communicated once impact is understood
• Public credit on this page (with your permission) once a fix is shipped

Safe harbour

We will not pursue legal action against researchers who act in good faith, who do not intentionally degrade availability for our customers, who do not access or modify customer data, and who give us a reasonable opportunity to remediate before public disclosure.

Out of scope

• Findings from automated tools without supporting evidence
• Social engineering of XContent employees, customers, or partners
• Physical attacks against XContent offices or infrastructure
• Denial of service attacks
• Attacks on third-party services (raise these with the third party directly)