At XPlus Technologies LLC, security is a foundational principle of how we build software. This page outlines our approach to security and how to report vulnerabilities.
Our Security Practices
Secure development lifecycle: Security considerations are integrated into every phase of development, from design to deployment.
Encryption: All data in transit is encrypted using TLS 1.2+. Sensitive data at rest is encrypted using AES-256.
Access control: We implement the principle of least privilege across all systems and services.
Monitoring: Our infrastructure is continuously monitored for anomalies and potential security threats.
Regular updates: Dependencies and systems are regularly updated to address known vulnerabilities.
Code review: All code changes go through review before deployment.
Infrastructure
Cloudflare-proxied traffic with DDoS mitigation.
Automated backups with encryption.
Network segmentation and firewall rules.
Intrusion detection and fail2ban on all servers.
Responsible Disclosure
We value the security research community. If you discover a vulnerability in any of our products or services, we encourage you to report it responsibly.
We will not take legal action against good-faith security researchers.
We will credit you (if desired) when the issue is resolved.
Scope
The following are in scope for responsible disclosure:
xplusfinance.org and its subdomains
XPlus Finance web and mobile applications
XPlus Technologies LLC APIs
Please do not perform denial-of-service attacks, access other users' data, or publicly disclose vulnerabilities before we have had a chance to address them.
