XPX Oncall Coverage Command

Security

Security Disclosure

XPX Oncall welcomes good-faith vulnerability reports that help improve the safety of the platform, website, and related services.

Last updated March 18, 2026 Good-faith reporting Coordinated disclosure requested

1. How to Report

Send good-faith vulnerability reports to sales@xpxoncall.com with the subject line Security Disclosure. If you are reporting on behalf of a customer or security firm, include the organization name and the best way to reach you for follow-up.

2. What to Include

  • A clear description of the issue and the affected host, feature, or workflow.
  • Reproduction steps, timestamps, screenshots, or request samples when available.
  • The observed impact and any conditions required to reproduce the issue safely.
  • Your contact details and disclosure preferences.

3. What to Expect

We aim to acknowledge legitimate reports in a reasonable timeframe, review the issue, and coordinate follow-up as needed. Submission of a report does not guarantee a public acknowledgment, service credit, bounty, or contractual relationship.

4. Research Rules

  • Avoid destructive testing, denial-of-service activity, spam, phishing, or social engineering.
  • Do not access, retain, alter, or disclose data that does not belong to you.
  • Stop testing and report promptly if you encounter sensitive information or customer data.
  • Do not publicly disclose vulnerabilities until a reasonable remediation window has been provided.
The machine-readable disclosure contact is also published in security.txt.