Out of Scope Bug Bounty Program

Some report types do not qualify for a reward because they have low security impact and do not trigger a code change. This section contains a non-exhaustive list of issues that are often ineligible, unless a chained attack with higher impact can be demonstrated.

  • Descriptive error messages (e.g. Stack Traces, application or server errors)

  • HTTP 404 codes/pages or other HTTP non-200 codes/pages

  • Banner disclosure on common/public services

  • Disclosure of known public files or directories, (e.g. robots.txt)

  • Clickjacking and issues only exploitable through clickjacking

  • CSRF on forms that are available to anonymous users (e.g. the contact form)

  • Logout Cross-Site Request Forgery (logout CSRF)

  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality

  • Lack of Secure and HTTP-Only cookie flags

  • Weak Captcha / Captcha Bypass

  • Username enumeration via Login Page error message

  • Username enumeration via Forgot Password error message

  • Login or Forgot Password page brute force and account lockout not enforced

  • OPTIONS / TRACE HTTP method enabled

  • SSL Attacks such as BEAST, BREACH, Renegotiation attack

  • SSL Forward secrecy not enabled

  • SSL Insecure cipher suites

  • The Anti-MIME-Sniffing header X-Content-Type-Options

  • Missing HTTP security headers, specifically

  • Man-in-the-Middle attacks

  • Vulnerabilities involving stolen credentials or physical access to a device

  • Social engineering attacks, including those targeting or impersonating internal employees by any means

  • Vulnerabilities for which there are existing, documented controls

  • Host header injections without a specific, demonstrable impact

  • Denial of service (DoS) attacks using automated tools

  • Self-XSS, which includes any payload entered by the victim

  • Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls

  • Login/logout CSRF

  • Content spoofing without embedding an external link or JavaScript

  • Infrastructure vulnerabilities, including:

    • Issues related to SSL certificates

    • DNS configuration issues

    • Server configuration issues (e.g. open ports, TLS versions, etc.)

  • Vulnerabilities only affecting users of outdated/unpatched browsers and platforms

  • Vulnerabilities that only affect one browser will be considered on a case-by-case basis, and may be closed as informative due to the reduced attack surface

  • Exposed credentials that are either no longer valid, or do not pose a risk to an in scope asset

  • Any XSS that requires Flash

  • Phishing / Spam (including issues related to SPF/DKIM/DMARC)

  • Vulnerabilities found in third-party services

  • Any image file data which contain a non stripped EXIF data on images

  • MitM and local attacks, no rate limit, user enumeration on registration/recovery, open redirections, insufficient session expiration, cookies working after logout etc are not accepted unless there are additional vectors identified (e.g. ability to steal the session token via remote vector for open redirection)