Responsible Disclosure Policy

Last updated: June 13, 2026

1. Our Commitment

Principal LA, LLC operates XHBT® (the "Platform"). We take the security of the Platform and our users seriously. If you believe you have found a security vulnerability, we want to hear from you and will work with you to resolve it promptly.

2. How to Report

Email security reports to [email protected]. Please include:

  • A clear description of the vulnerability and its potential impact
  • Steps to reproduce, including any proof-of-concept code or screenshots
  • The affected URLs, endpoints, or components
  • Any suggested remediation, if you have one

3. What We Ask of You

  • Give us a reasonable amount of time to investigate and remediate before public disclosure
  • Make a good-faith effort to avoid privacy violations, data destruction, and service disruption
  • Do not access, modify, or delete data that does not belong to you
  • Do not run automated scanners that degrade service, or conduct denial-of-service testing
  • Only interact with accounts you own or have explicit permission to test

4. What You Can Expect

  • We will acknowledge your report within five business days
  • We will keep you informed as we investigate and work toward a fix
  • We will not pursue legal action against researchers who follow this policy in good faith
  • We are grateful for your help, though we do not currently offer a paid bug bounty

5. Scope

This policy covers the XHBT website at xhbt.org and the XHBT mobile apps for iOS and Android. Reports about third-party services we rely on (such as hosting or analytics providers) should be directed to those providers, though we welcome a heads-up if the issue affects our users.

6. Contact

Principal LA, LLC
Email: [email protected]