XAPO bank logo

Responsible Disclosure Policy


This policy applies to all security enthusiasts on the internet who may have identified a security problem that could affect Xapo software applications including, but not limited too, Front End Services (web), Mobile Services, Back End and/or Mid-tier Services.

Policy Statement

At Xapo we take the security of our products very seriously. We educate our staff on security best practices and our development process includes quality assurance steps to ensure our products are of high quality and secure. However, like all complex software products, it is possible that a security vulnerability may be present in one of our products. If you discover a security issue or vulnerability in a Xapo product or service, we ask that you report this to us in a confidential manner and in accordance with the guidelines set forth below.


Please email the details of any possible or actual security vulnerability or problem to our security team at [email protected]. We appreciate confidential and responsible disclosures and will acknowledge security researchers when an issue has been reported.

When submitting a report, please provide as many relevant details as you can, including, but not limited to, the following:

  • How the vulnerability can be exploited and the potential impact.
  • How you discovered the vulnerability and clear steps to reproduce.
  • Any proof of concept attack and/or images showing the attack vector.
  • Any known patches or controls to mitigate the vulnerability.

You will not take advantage of the vulnerability or the problem you have discovered or reported nor will you disclose information about it publicly until we have remediated it. You must not require financial compensation inorder to disclose any vulnerabilities as these are not paid unless agreed to in writing.

Please note that while Xapo does not currently have a bug bounty program in place, we are happy to credit researchers with their name and a link to an address of their choosing (e.g. Twitter or personal website) on our Hall of Fame below.

What not to do

  • Denial-of-Service (DoS) or Distributed DoS (DDoS) attacks against Xapo systems and products;
  • Testing against systems owned by third-party companies that integrate with Xapo products;
  • Malicious activities against Xapo or its customers by leveraging Xapo systems;
  • Testing that would degrade the quality of services offered by Xapo; or
  • The handling of malicious software (including but not limited to uploading, sharing or sending) with respect to Xapo.

Xapo will not initiate legal actions against researchers, as long as they adhere to these parameters. Xapo reserves the right to only credit researchers who have reported an issue that is proven and of sufficient severity.


This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with applicable law, of which might cause Xapo to be in breach of any of its legal obligations.

Security Hall of Fame


A special thanks to the following people that have responsibly disclosed vulnerabilities to Xapo in the past: