Exa is a modern AI search engine with SERP API, website crawler tools, and deep research API. Power your app with web search AI and web crawling API.

Exa Labs Vulnerability Disclosure Policy

Security is essential to Exa Labs' mission. We appreciate the contributions of ethical hackers who help us uphold high privacy and security standards for our users and technology.

This policy, based on disclose.io, outlines our definition of good faith regarding the discovery and reporting of vulnerabilities and clarifies what you can expect from us in return.

The initial priority rating for most findings will use the Exa Labs Vulnerability Rating Taxonomy. However, vulnerability priority and reward may be modified based on likelihood or impact at Exa Labs' sole discretion. In cases of downgraded issues, researchers will receive a detailed explanation.

Expectations

As part of this policy, we commit to:

  • Provide Safe Harbor protection, as outlined below, for vulnerability research conducted according to these guidelines.
  • Cooperate with you in understanding and validating your report, ensuring a prompt initial response to your submission.
  • Remediate validated vulnerabilities in a timely manner.
  • Acknowledge and credit your contribution to improving our security, if you are the first to report a unique vulnerability that leads to a code or configuration change.

Rules of Engagement

To help us distinguish between good-faith hacking and malicious attacks, you must follow these rules:

  • You are authorized to perform testing in compliance with this policy.
  • Follow this policy and any other relevant agreements. In case of inconsistency, this policy takes precedence.
  • Promptly report discovered vulnerabilities.
  • Refrain from violating privacy, disrupting systems, destroying data, or harming user experience.
  • Use security@exa.ai for vulnerability-related communication.
  • Keep vulnerability details confidential until authorized for release by Exa Labs' security team.
  • Test only in-scope systems and respect out-of-scope systems.
  • Do not access, modify, or use data belonging to others, including confidential Exa Labs data. If a vulnerability exposes such data, stop testing, submit a report immediately, and delete all copies of the information.
  • Interact only with your own accounts, unless authorized by Exa Labs.
  • Disclosure of vulnerabilities to Exa Labs must be unconditional. Do not engage in extortion, threats, or other tactics to elicit a response under duress. Exa Labs denies Safe Harbor for vulnerability disclosure conducted under such circumstances.

In Scope

Out-of-Scope

The following are non-exhaustively out-of-scope:

  • Attacks that may degrade, disrupt, or negatively impact services or user experience (e.g., denial of service, brute force, password spraying, spam, fuzzing, specifically unless authorized by Exa Labs security team).
    • This includes brute forcing our APIs.
  • Attacks that aim to destroy or corrupt data not belonging to you.
  • Missing security best practices that do not directly lead to a vulnerability.
  • Attacks stemming from stolen or leaked credentials.
  • Intentional access to data or information not belonging to you beyond the minimum necessary to demonstrate the vulnerability.
  • Physical, social engineering, phishing, or electronic attacks against Exa Labs personnel, offices, wireless networks, or property.
  • Any attacks on systems not explicitly mentioned as in-scope.
  • Attacks related to email servers, protocols, security (e.g., SPF, DMARC, DKIM), or spam.
  • Reports of insecure SSL/TLS ciphers without a working proof-of-concept.
  • Reports of missing HTTP headers (e.g., lack of HSTS) without a working proof-of-concept.
  • Clickjacking
  • Reports of server error messages without proof of an exploit.
  • Discovery of names or references to unreleased products/features

Specific examples that are out of scope:

  • Domains that are CNAME'd to other active third party service providers. Unused subdomain takeovers are still in scope.
  • Changing your password may not invalidate all Auth tokens and API Keys.
  • The ability to add other users to your team without their permission.
  • Cookies can be transferred from one browser to another.
  • Methods to bypass IP blocks or geoblock by changing your IP or using a VPN.
  • Methods to bypass Cloudflare on api.exa.ai
  • Methods to emulate a browser to bypass captchas.
  • Websites which are not owned and operated by Exa Labs
  • Phishing websites, proxies, discord bots, and other "free" websites which provide access to the product.
  • Issues related to billing lagging behind requests.
  • Most issues relating to API rate limiting or API quota enforcement unless the bug allows complete bypass.
    • We reward submissions that demonstrate a meaningful bypass of Exa Labs rate limits or platform controls that enables sustained usage at significant scale beyond intended limits. Issues that don't scale to the order of hundreds of requests beyond enforced rate limits (e.g., one-off or low-volume bypasses) are considered out of scope for financial reward.
    • Out of scope: temporarily exceeding the API requests-per-minute limit or the hard spending cap.
  • Vulnerabilities in our dormant open source projects.
    • We welcome reports (and patches) but typically will only reward for security issues with demonstrated impact in our actively maintained projects.
  • Issues that require excessive user cooperation or unlikely social engineering to trigger, such as loading malicious content from external websites, self XSS through the browser debug pane, disabling browser security features, sending the attacker information out of band, etc.

Examples of Issues We Are Interested In

  • Authentication issues
  • Authorization issues
  • Credential security
  • Cross-site request forgery
  • Server-side request forgery
  • Data exposure
  • OAuth issues
  • SQL injection
  • Payment issues
  • Stored or reflected XSS

While researching, we'd like to ask you to refrain from:

  • Denial of service
  • Spamming
  • AI generated reports without validating them yourself
  • Social engineering (including phishing) of Exa Labs staff or contractors

Vulnerability Rating Taxonomy

  • Low Severity - Exa Swag
  • Medium Severity - $250-1000
  • High Severity - $1000-$5000

Safe Harbor

Exa Labs will not threaten or bring any legal action against anyone who makes a good faith effort to comply with this bug bounty policy. This includes any claim under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.

As long as you comply with this policy:

  • We consider your security research to be "authorized" under the Computer Fraud and Abuse Act (and/or similar state laws), and
  • We waive any restrictions in our applicable Terms of Use and Usage Policies that would prohibit your participation in this policy, but only for the limited purpose of your security research under this policy.

You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.

If you have concerns or are unsure whether your security research aligns with this policy, please contact security@exa.ai before proceeding.