Security.

1. Reporting a vulnerability

If you believe you have found a security vulnerability in Exoliner, please report it to us responsibly. We take all reports seriously and respond as quickly as possible.

Send your report to [email protected] with:

• A clear description of the vulnerability
• Steps to reproduce
• The potential impact or severity
• Any proof-of-concept or screenshots, if applicable
• Your contact information for follow-up

2. What to expect

1. Acknowledgement — receipt of your report within 48 hours.
2. Assessment — our team investigates and validates the reported vulnerability.
3. Resolution — we work to fix the issue and keep you informed of progress. Timelines depend on severity and complexity.
4. Disclosure — once resolved, we may coordinate public disclosure with you if appropriate.

3. Scope of testing

Testing must be limited to assets owned and operated by Exoliner. The following are in scope:

• exoliner.wtf
• api.serverside.plus

Any assets not listed are out of scope. Do not test against third-party services or infrastructure not controlled by Exoliner.

4. Severity classification

Critical

• Remote code execution (RCE)
• SQL injection with data access
• Authentication bypass (full account takeover)
• Privilege escalation to admin

High

• Server-side request forgery (SSRF)
• IDOR with sensitive data access
• Stored cross-site scripting (XSS)
• Sensitive data exposure (API keys, tokens, user PII)
• Authorization bypass between users

Medium

• Reflected XSS
• CSRF on sensitive actions
• IDOR with limited impact
• API abuse with demonstrable impact

Low

• Self-XSS or DOM-based XSS with limited reach
• CSRF on non-sensitive actions
• Minor misconfigurations with limited exploitability

5. Out of scope

• Denial of service (DoS / DDoS) attacks
• Social engineering or phishing against staff or users
• Physical attacks against Exoliner infrastructure
• Vulnerabilities in third-party services not controlled by Exoliner
• Reports from automated scanners without verified impact
• Missing security headers without demonstrated exploit
• Rate-limiting issues unless they show concrete abuse potential

6. Safe harbor

We consider security research conducted in good faith to be authorized. We will not pursue legal action against researchers who comply with this policy and:

• Make a good-faith effort to avoid privacy violations, data destruction, and disruption of service
• Limit testing to assets owned and operated by Exoliner; do not impact other users or production stability
• Do not exploit a vulnerability beyond what is necessary to demonstrate it
• Do not access, modify, or delete data belonging to other users
• Do not attempt to access or download large amounts of data or any sensitive user information
• Report vulnerabilities promptly and do not publicly disclose until we have had a reasonable time to address the issue
• Do not use automated tools that generate excessive traffic or disruption

7. Rewards

Exoliner offers monetary rewards for valid vulnerability reports, scaled by severity. Rewards are paid at our discretion after the vulnerability has been confirmed and resolved.

• Critical — $100 to $200
• High — $50 to $100
• Medium — $15 to $50
• Low — up to $15

Reward amounts are determined based on impact, exploitability, and quality of the report. The final amount is at Exoliner’s sole discretion. To be eligible:

• You must be the first to report the vulnerability
• You must comply with all terms of this disclosure policy
• You must provide a clear, reproducible report
• You must not be a current or former Exoliner staff member

Researchers may also be publicly acknowledged (with permission) for valid reports.

8. Contact

For security inquiries: [email protected]. For general support: [email protected].

We appreciate the security community’s efforts in helping keep Exoliner and its users safe. Thank you for practicing responsible disclosure.