Hall of Fame

We appreciate the work of security researchers who responsibly disclose vulnerabilities. While we no longer offer monetary rewards, we recognize impactful, verified reports here. Thank you for helping keep Thexyz users safe.

Julien Cretel
Reflected XSS — resolved
Edwina Pickering
Mail routing misconfiguration — resolved
Shawar Khan
Session handling improvement — resolved
Norman Kemp
API error info leakage — resolved
Mo Shah
CSRF control hardening — resolved
Lance Burrows
MX failover edge case — resolved

Responsible Disclosure (No Bounties)

We welcome vulnerability reports and coordinate fixes with researchers. We do not provide monetary rewards or bounty payments. With your consent, we will acknowledge verified, impactful findings in our Hall of Fame after a fix is deployed.

How to Report

Please submit a ticket via our secure queue:

Submit Security Report

Include: description, impact, affected URLs/endpoints, reproduction steps, and PoC (text only). Do not test with real customer data or cause service degradation.

Scope & Examples

In scope:

  • Authentication & authorization flaws
  • Cross-site scripting (stored or reflected)
  • CSRF leading to state change
  • Privilege escalation
  • Sensitive server-side information disclosure

Out of scope:

  • Third-party platforms we do not control
  • Self-XSS, clickjacking on non-sensitive pages
  • DoS/volumetric tests or service degradation
  • Best-practice suggestions without a concrete vulnerability

Safe Harbor & Researcher Guidelines

  • Do not access, modify, or exfiltrate data that isn’t yours.
  • Avoid privacy violations, service degradation, and denial-of-service.
  • Allow reasonable time for remediation prior to public disclosure.
  • No social engineering, spam, physical, or non-technical attacks.
  • Test only assets you reasonably believe are operated by Thexyz.

If you follow these rules in good faith, we will not initiate legal action related to your research.

Our Process & Timelines

  1. Acknowledgement: aim to respond within 3 business days.
  2. Assessment: triage, severity, and scope confirmation.
  3. Remediation: fix development, testing, and deployment.
  4. Recognition: add to Hall of Fame (if you consent) once the fix is live.

Privacy & Data Handling for Reports

We use report details only to understand and resolve the issue. Please avoid including personal data whenever possible; any non-essential personal information sent in error will be deleted.