XDA Coordinated Disclosure Policy<p>We take the security of our systems seriously, and we value the security community.
The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users.</p>
<p>
<strong>Guidelines<br>
</strong>We require that all researchers:</p>
<ul>
<li>Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;</li>
<li>Perform research only within the scope set out below;</li>
<li>Use the identified communication channels to report vulnerability information to us.
and</li>
<li>Keep information about any vulnerabilities you’ve discovered confidential between yourself and XDA Developers until we’ve had 45 days to resolve the issue.</li>
</ul>
<p>If you follow these guidelines when reporting an issue to us, we commit to:</p>
<ul>
<li>Not pursue or support any legal action related to your research;</li>
<li>Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission);</li>
<li>Recognize your contribution publicly, if you so desire, if you are the first to report the issue and we make a code or configuration change based on the issue.</li>
</ul>
<p>Scope</p>
<ul>
<li>http(s)://*.xda-developers.com</li>
<li>XDA Labs</li>
<li>XDA Android App</li>
</ul>
<p>
<strong>Out of scope</strong>
<br>
Any services hosted by 3rd party providers and services are excluded from scope.</p>
<p>In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:</p>
<ul>
<li>Findings from physical testing such as office access (e.g.
open doors, tailgating)</li>
<li>Findings derived primarily from social engineering (e.g.
phishing, vishing)</li>
<li>Findings from applications or systems not listed in the ‘Scope’ section</li>
<li>UI and UX bugs and spelling mistakes</li>
<li>Network level Denial of Service (DoS/DDoS) vulnerabilities</li>
</ul>
<p>Things we do not want to receive:</p>
<ul>
<li>Personally identifiable information (PII)</li>
</ul>
<p>
<strong>How to report a security vulnerability?</strong>
<br>
If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing security@xda-developers.com.
Please include the following details with your report:</p>
<ul>
<li>Description of the location and potential impact of the vulnerability;</li>
<li>A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us).
and</li>
<li>Your name or XDA username and a link for recognition.</li>
</ul>
<p>
</p>