thexyz.com

Hall of Fame

We appreciate the work of security researchers who responsibly disclose vulnerabilities. While we no longer offer monetary rewards, we recognize impactful, verified reports here. Thank you for helping keep Thexyz users safe.

Julien Cretel

Reflected XSS — resolved

Edwina Pickering

Mail routing misconfiguration — resolved

Shawar Khan

Session handling improvement — resolved

Norman Kemp

API error info leakage — resolved

Mo Shah

CSRF control hardening — resolved

Lance Burrows

MX failover edge case — resolved

[#collapse-policy](Responsible Disclosure (No Bounties))

We welcome vulnerability reports and coordinate fixes with researchers. We do not provide monetary rewards or bounty payments. With your consent, we will acknowledge verified, impactful findings in our Hall of Fame after a fix is deployed.

[#collapse-report](How to Report)

Please submit a ticket via our secure queue:

[https://www.thexyz.com/account/submitticket.php?step=2&deptid=3&subject=Security%20Bug%20Report]( Submit Security Report )

Include: description, impact, affected URLs/endpoints, reproduction steps, and PoC (text only). Do not test with real customer data or cause service degradation.

[#collapse-scope](Scope & Examples)

In scope:

• Authentication & authorization flaws

• Cross-site scripting (stored or reflected)

• CSRF leading to state change

• Privilege escalation

• Sensitive server-side information disclosure

Out of scope:

• Third-party platforms we do not control

• Self-XSS, clickjacking on non-sensitive pages

• DoS/volumetric tests or service degradation

• Best-practice suggestions without a concrete vulnerability

[#collapse-safeharbor](Safe Harbor & Researcher Guidelines)

• Do not access, modify, or exfiltrate data that isn’t yours.

• Avoid privacy violations, service degradation, and denial-of-service.

• Allow reasonable time for remediation prior to public disclosure.

• No social engineering, spam, physical, or non-technical attacks.

• Test only assets you reasonably believe are operated by Thexyz.

If you follow these rules in good faith, we will not initiate legal action related to your research.

[#collapse-process](Our Process & Timelines)

• Acknowledgement: aim to respond within 3 business days.

• Assessment: triage, severity, and scope confirmation.

• Remediation: fix development, testing, and deployment.

• Recognition: add to Hall of Fame (if you consent) once the fix is live.

[#collapse-privacy](Privacy & Data Handling for Reports)

We use report details only to understand and resolve the issue. Please avoid including personal data whenever possible; any non-essential personal information sent in error will be deleted.