Responsible Disclosure

We're security practitioners ourselves. We respect the research community and welcome good-faith vulnerability reports against Axl.net systems. If you find something, we want to hear about it, and we commit to not pursuing legal action against researchers who act in good faith and follow this policy.

Scope

  • The Axl.net website (axl.net)
  • The Axl.net Platform (app.axl.net)
  • Axl.net APIs and infrastructure

Out of scope:

  • Client websites, applications, and environments (we cannot authorize testing against them)
  • Third-party services and integrations
  • Social engineering attacks against Axl.net employees or clients
  • Physical security testing

How to report

Email: info@axl.net

Include as much of the following as possible:

  • A clear description of the vulnerability and affected component
  • Steps to reproduce, including any tools or configurations used
  • Impact assessment: what an attacker could achieve
  • Proof-of-concept code, screenshots, or logs if available

Please minimize the use of functional exploit code in your report. A description of the vulnerability and reproduction steps is preferred over weaponized exploits, consistent with EFF guidance on vulnerability reporting.

Rules of engagement

  • Do not access, modify, or delete data that is not your own
  • No denial-of-service or DDoS testing
  • No automated scanning at scale. Keep testing targeted and manual
  • Do not use social engineering against Axl.net employees or clients
  • Do not test against client environments. You do not have authorization
  • Do not share vulnerability details with third parties before the issue is resolved
  • Stop testing and report immediately if you inadvertently access sensitive data

Response timeline

We are a small team. We will review and respond to reports on a best-effort basis. We take every valid report seriously, but we cannot guarantee specific response or remediation timelines.

Safe harbor

Axl.net Security will not pursue legal action against researchers who:

  • Act in good faith and comply with this policy
  • Avoid privacy violations, service disruption, and data destruction
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
  • Allow reasonable time for remediation before any public disclosure

We consider security research conducted in accordance with this policy to be authorized and will not initiate legal action under the Computer Fraud and Abuse Act (CFAA), the DMCA, or equivalent laws.

What you can expect

  • Prompt acknowledgement of your report
  • Open communication throughout the investigation
  • Credit in any public advisory (if you want it)
  • Reports go directly to our security team. A small team monitors info@axl.net

Nuisance findings

We do this work every day. The following are well-understood configuration findings that do not represent exploitable vulnerabilities. Please do not report them, here or anywhere else.

  • DMARC policy issues (e.g. p=none)
  • SPF soft fail (~all) configurations
  • Missing or misconfigured HTTP security headers (CSP, X-Frame-Options, HSTS, etc.)
  • TLS configuration findings (cipher suite order, protocol version support, certificate transparency)

These show up in every scanner report. We are aware of them. If you have found something that is actually exploitable, we want to hear about it, but scanner output copy-pasted into an email is not a vulnerability report.

Bug bounty

Axl.net does not operate a bug bounty program and does not offer monetary rewards for vulnerability reports. We appreciate the time and effort researchers invest in making the internet safer.

Contact

Report vulnerabilities to info@axl.net. For general inquiries, use info@axl.net.