Security & Responsible Disclosure
How to report security vulnerabilities in EX1 products and infrastructure.
Effective date: June 18, 2026
DBR Labs, doing business as Everything X1 takes security seriously for Everything X1 ("EX1"). This page describes how to report vulnerabilities and what we expect from researchers.
Report a vulnerability
Email security@everythingx1.com with:
- Description of the issue and potential impact.
- Steps to reproduce, including URLs, accounts, or proof-of-concept if available.
- Your contact information for follow-up.
Please encrypt sensitive reports if your mail client supports PGP and we have published a key.
Scope
In scope:
- everythingx1.com and documented EX1 API endpoints.
- EX1 Desktop updater and authentication flows.
- Account, billing, workspace, and integration security issues affecting EX1 infrastructure.
Out of scope:
- Social engineering, physical attacks, or denial-of-service tests.
- Issues in third-party services outside our control (Stripe, model providers, etc.).
- Accessing or modifying other users' data.
- Destructive testing on production systems.
Responsible disclosure rules
- Do not extort, publicly disclose before we have had reasonable time to remediate, or exploit beyond proof of necessity.
- Do not access data belonging to other users.
- Act in good faith to avoid privacy violations and service disruption.
Our response process
We aim to acknowledge reports within a reasonable period and will keep you informed of remediation progress when appropriate. We do not guarantee bounties or SLAs unless separately agreed in writing.