Vulnerability Disclosure Policy

xtra audio welcomes feedback from security researchers and the general public to help improve the security of our systems and data.

If you discover a vulnerability, privacy issue, exposed data, or other security concern affecting any of our digital assets, we want to hear from you. This policy outlines how to submit reports, what we expect from researchers, and what you can expect from us.

Scope

This policy applies to all digital assets owned, operated, or maintained by xtra audio, including but not limited to the xtra audio platform, associated APIs, and publicly accessible web properties.

Out of Scope

Assets or devices not owned or managed by xtra audio are out of scope. Vulnerabilities discovered in third-party systems should be reported to the appropriate vendor or authority.

Our Commitments

When working with us under this policy, you can expect us to:

  • Respond to your report promptly and work with you to understand and validate the issue.
  • Keep you informed about the progress of a reported vulnerability.
  • Work to remediate confirmed vulnerabilities in a timely manner, within our operational constraints.
  • Extend Safe Harbor protection for security research conducted in compliance with this policy.

Our Expectations

When participating in our vulnerability disclosure program in good faith, we ask that you:

  • Follow this policy and any other applicable agreements. Where there is a conflict, this policy takes precedence.
  • Report any discovered vulnerabilities promptly via the official channels listed below.
  • Avoid violating the privacy of others, disrupting our systems, destroying data, or degrading the user experience.
  • Use only the official channels described below to communicate vulnerability information.
  • Allow us a reasonable amount of time to address the reported issue before making any information public.
  • Only test against in-scope systems and respect systems that are out of scope.
  • If you gain access to unintended data, limit the amount you access to the minimum required to effectively demonstrate a proof of concept. Stop testing and submit a report immediately if you encounter any user data, including but not limited to personally identifiable information (PII), financial data, or proprietary information.
  • Only interact with accounts you own or for which you have explicit permission from the account holder.
  • Do not engage in extortion or make threats.

Official Channels

Please report security issues via the xtra audio contact form. Include as much detail as possible — the more context you provide, the faster we can triage and address the issue.

Safe Harbor

Security research conducted in accordance with this policy is considered:

  • Authorized under applicable anti-hacking laws. xtra audio will not initiate or support legal action against you for accidental, good-faith violations of this policy.
  • Authorized under relevant anti-circumvention laws. We will not bring claims against you for bypassing technological measures in the course of your research.
  • Exempt from restrictions in our Terms of Service or Acceptable Use Policy that would otherwise interfere with the conduct of security research. We waive those restrictions on a limited basis.
  • Lawful, beneficial to the overall security of the internet, and conducted in good faith.

You are expected to comply with all applicable laws at all times. If legal action is initiated by a third party against you and you have fully complied with this policy, xtra audio will take reasonable steps to make it known that your actions were conducted in accordance with this policy.

Safe Harbor applies only to legal claims under the control of xtra audio and does not bind independent third parties. If at any point you are uncertain whether your conduct complies with this policy, please submit a report through our official channels before proceeding further.