top of page

Vulnerability Disclosure

a security researcher analyszing a website for vulnerablitiles.jpg

How to report a vulnerability

If you discover vulnerabilities in IT systems and web applications of Exploit Labs, we ask you to inform us. We will promptly take measures to fix the discovered vulnerability as quickly as possible.

Before reporting, inform yourself about cases that do not fall within the scope of our Vulnerability Disclosure Policy and are not processed in this context.

Send your findings regarding the security issue by email to To encrypt the communication, please use the format template and PGP keys listed below.

  • Do not exploit the vulnerability or issue by, for example, downloading, altering, deleting, or uploading data.

  • Do not disclose information about the vulnerability to third parties or institutions unless it has been released by us.

  • Do not carry out attacks on our IT systems that compromise, alter, or manipulate infrastructure and individuals.

  • Do not conduct any social engineering (e.g., phishing), (distributed) denial of service, spam, or other attacks on Exploit Labs.

  • Provide us with sufficient information so we can reproduce and analyze the problem.

  • Provide a contact option for queries.

Typically, the address or URL of the affected system and a description of the vulnerability are sufficient. However, complex vulnerabilities may require further explanations and documentation.

What qualifies?

Any design or implementation issue at Exploit Labs that is reproducible and compromises security can be reported.

Examples include:

  • Cross Site Request Forgery (CSRF)

  • Cross Site Scripting (XSS)

  • Insecure Direct Object Reference

  • Remote Code Execution (RCE) – Injection Flaws

  • Information Leakage and Improper Error Handling

  • Unauthorized access to properties or accounts

  • and many more.

  • Data/information leaks

  • Possibility of data/information exfiltration

  • Exploitable backdoors

  • Possibility of unauthorized system usage

Vulnerabilites that do not qualify

The following vulnerabilities do not fall within the scope of the Vulnerability Disclosure Policy:

  • Forms missing CSRF tokens

  • Missing security headers that do not directly lead to an exploitable vulnerability.

  • Use of a library known to be vulnerable or publicly compromised (without active proof of exploitability).

  • Reports from automated tools or scans without explanatory documentation.

  • Social engineering against individuals.

  • Denial of Service attacks (DoS/DDoS).

  • No submission of best practices (e.g., certificate pinning, security headers, DMARC, SPF records).

  • Use of vulnerable and "weak" cipher suites/ciphers.

Please also ensure that you do not target third parties and respect their disclosure policies:

Found a beacon or our C2

We got something for you

If you were able to attribute parts of our red team infrastructure back to us we're very interessted to hear about it, most likely within the project we're currently engaged in with you. Don't forget to talk to our team about special rewards, maybe even beyond a t-shirt.

If you found different ways to attribute our infrastructure we're equally interessted to hear from you ;)

bottom of page