Contact: mailto:vulnerabilities@x.ai Expires: 2026-06-07T15:45:00.000Z Canonical: https://x.ai/security.txt Security Attestations: https://x.ai/security Communication Policy: Responses to inquires will come from security@x.ai, do not email this inbox directly as it may result in delays. >Model Safety Issues For model safety issues (prompt injection, jailbreaking, etc) please reach out to AI Safety team via safety@x.ai >Product Security Issues xAI currently has a Bug Bounty program hosted on HackerOne, To report vulnerabilities, please contact the xAI security team through our HackerOne program at https://hackerone.com/x or by emailing vulnerabilities@x.ai, with the subject line "Responsible Disclosure." > Program Guidelines Read the program scope carefuly (https://hackerone.com/x/policy_scopes) Submit reports to our public bug bounty program Utilize a HackerOne platform email when performing security testing (@wearehackerone.com) >The following items should be considered out of scope: Physical or social engineering attempts (this includes phishing attacks against xAI employees) Ability to send push notifications/SMS messages/emails without the ability to change content Findings with negligible security impact Open redirects without security or privacy impact Reports that state that software is out of date/vulnerable without a proof-of-concept Highly speculative reports about theoretical damage Vulnerabilities as reported by automated tools that have not been validated SSL/TLS scan reports (ie: output from sites such as SSL Labs) Open ports without an accompanying proof-of-concept demonstrating vulnerability Vulnerabilities that do not impact xAI users or employees -- e.g. self-exploitation Reports that affect only outdated application clients -- we will only consider vulnerabilities impacting current versions of applications or websites Issues that require physical access to a victim’s computer/device Banner grabbing issues (figuring out what web server we use, etc.) Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an xAI account exists Distributed denial of service attacks (DDOS) > Reporting Guidelines High quality submissions allow our team to understand the issue better and engage the appropriate teams to fix. The best reports provide enough actionable information to verify and validate the issue without requiring any follow up questions. Verify the program scope before you submit your report to ensure the issue you are reporting is in scope for the program. Think through the attack scenario and exploitability of the vulnerability and provide as many clear details as possible to allow us to reproduce the issue (include screenshots if possible). Please include your understanding of the security impact of the issue. Our bounty payouts are directly tied to security impact, the more details you provide, the better. In some cases, it may not be possible to have all of the context on the impact of a bug. If you’re unsure of the direct impact, but feel you may have found something interesting, feel free to submit a detailed report and ask. Video only proof-of-concepts (PoCs) will not be considered. A vulnerability must be verifiable and reproducible for us to consider it in-scope. All reports must demonstrate security impact to be considered for a bounty reward. Include a CVSS hash supporting the severity of the vulnerability you are reporting. More guidance on writing high quality reports can be found here: https://docs.hackerone.com/hackers/quality-reports.html > The following ratings are based on security impact: Informational: No payout Low: $250-$750 and Hall of Fame thanks Medium: $1,000-$3,000 and Hall of Fame thanks High: $5,000-$7,000 and Hall of Fame thanks Critical: $10,000-$20,000 and Hall of Fame thanks Previous bounty rewards are not considered as precedent for future rewards. Bounty rewards are not additive and are subject to change as our program evolves. We determine the upper bound for security impact and award based on that impact. Bounty rewards, if provided, will be determined by xAI at our our sole discretion. In no event are we obligated to provide a reward for any submission. You are solely responsible for any tax implications related to any bounty rewards you may receive. If we receive multiple reports for the same issue, only the earliest valid reports may be considered for a reward. Further, you understand that your participation in the program is at your own risk. To the fullest extent permitted by applicable law, except as otherwise provided herein, in no event shall xAI, its affiliates or their employees, contractors, agents, officers or directors be liable to you or the entity through which you are participating in xAI’s bug bounty program for any indirect, punitive, incidental, special, consequential or exemplary damages, including without limitation damages for business interruption, loss of profits, goodwill, use, data or other intangible losses arising out of or relating to this program. If you have any basis for recovering damages in connection with the program (including breach of these terms), you agree that your exclusive remedy is to recover, from xAI or any affiliates, resellers, distributors, and vendors direct damages up to but not in excess of $200.00 (USD). The exclusions and limitations in this section apply whether the alleged liability is based on contract, tort, negligence, strict liability or any other basis, even if the non-breaching party has been advised of the possibility of such damage.