Some report types do not qualify for a reward because they have low security impact and do not trigger a code change. This section contains a non-exhaustive list of issues that are often ineligible, unless a chained attack with higher impact can be demonstrated.
Descriptive error messages (e.g. Stack Traces, application or server errors)
HTTP 404 codes/pages or other HTTP non-200 codes/pages
Banner disclosure on common/public services
Disclosure of known public files or directories, (e.g. robots.txt)
Clickjacking and issues only exploitable through clickjacking
CSRF on forms that are available to anonymous users (e.g. the contact form)
Logout Cross-Site Request Forgery (logout CSRF)
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
Lack of Secure and HTTP-Only cookie flags
Weak Captcha / Captcha Bypass
Username enumeration via Login Page error message
Username enumeration via Forgot Password error message
Login or Forgot Password page brute force and account lockout not enforced
OPTIONS / TRACE HTTP method enabled
SSL Attacks such as BEAST, BREACH, Renegotiation attack
SSL Forward secrecy not enabled
SSL Insecure cipher suites
The Anti-MIME-Sniffing header X-Content-Type-Options
Missing HTTP security headers, specifically
Man-in-the-Middle attacks
Vulnerabilities involving stolen credentials or physical access to a device
Social engineering attacks, including those targeting or impersonating internal employees by any means
Vulnerabilities for which there are existing, documented controls
Host header injections without a specific, demonstrable impact
Denial of service (DoS) attacks using automated tools
Self-XSS, which includes any payload entered by the victim
Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls
Login/logout CSRF
Content spoofing without embedding an external link or JavaScript
Infrastructure vulnerabilities, including:
Issues related to SSL certificates
DNS configuration issues
Server configuration issues (e.g. open ports, TLS versions, etc.)
Vulnerabilities only affecting users of outdated/unpatched browsers and platforms
Vulnerabilities that only affect one browser will be considered on a case-by-case basis, and may be closed as informative due to the reduced attack surface
Exposed credentials that are either no longer valid, or do not pose a risk to an in scope asset
Any XSS that requires Flash
Phishing / Spam (including issues related to SPF/DKIM/DMARC)
Vulnerabilities found in third-party services
Any image file data which contain a non stripped EXIF data on images
MitM and local attacks, no rate limit, user enumeration on registration/recovery, open redirections, insufficient session expiration, cookies working after logout etc are not accepted unless there are additional vectors identified (e.g. ability to steal the session token via remote vector for open redirection)