Skip to content
Close
  • Products and Parts
  • Applications
  • Support
  • About
  • Knowledge Center

Vulnerability Disclosure Policy

XOS, Inc. builds analytical X-ray instruments used in laboratory and process-control environments. We take the security of our products seriously and appreciate the work of security researchers, customers, and partners who report vulnerabilities to us in good faith.

Scope. This policy covers all XOS products containing software: R-Series and Petra benchtop analyzers, CCM and its XOS-operated cloud service, online process analyzers, the XOS software update packages we distribute, and the xos.com web presence.

How to report. Email security@xos.com with: the product and software version affected (the model and serial number are on the instrument label; the software version is shown in the instrument UI), a description of the vulnerability, steps to reproduce or proof-of-concept, and the impact you assess. Please do not include sensitive data in your report — no personal information, credentials, or customer data. To send sensitive technical material, encrypt it with our PGP key, linked from this page and from our security.txt.

What we commit to. We will acknowledge your report within 5 business days and give you an initial assessment within 10 business days. We will keep you informed of remediation progress, tell you when a fix is released, and credit you in the associated advisory unless you prefer to remain anonymous. We do not currently operate a paid bug bounty program.

Coordinated disclosure. We ask that you give us 90 days from acknowledgment before public disclosure, and that you do not access, modify, or destroy data belonging to others, degrade a production instrument or the CCM cloud service, or use a vulnerability beyond the minimum needed to demonstrate it. We will not pursue or support legal action against researchers who make a good-faith effort to comply with this policy.

Out of scope. Social engineering of XOS staff or customers, physical attacks on instruments, denial-of-service testing against the CCM cloud service, and findings that require physical disassembly of an instrument to exploit (report these anyway — they are useful — but they are handled outside the coordinated-disclosure timeline).

After a fix. We publish security advisories describing fixed vulnerabilities, affected products and versions, severity, and the update that remediates them. Security updates for supported products are free of charge for the published support period of each product.

Terms. Information you submit under this policy is considered non-proprietary and non-confidential, and XOS may use it without restriction to understand, remediate, and publicly describe the issue. The response commitments above are good-faith targets, not a guarantee of a particular outcome. We may update this policy from time to time; the version published on this page applies to new reports.

Changes to this policy. From time to time, we may update this Policy. The most up-to-date copy will be found on our website. Please check our site periodically for updates.