Out of Scope Vulnerabilities

All vulnerabilities that require or are related to the following are not eligible for a bug report:

  • Issues related to rate limiting, brute forcing, or denial of service scenarios (including account enumeration)
  • Missing best practices in SSL/TLS configuration
  • Missing best practices in Content Security Policy (CSP)
  • Missing security headers which don't directly lead to a vulnerability or account compromise
  • Presence of common public files, such as robots.txt or files in the ".well-known" directory
  • Missing DNS and email best practices (invalid, incomplete or missing DNSSEC/SPF/DKIM/DMARC records, etc)
  • Information disclosure including software version disclosure, banner identification issues, descriptive error messages or headers (e.g. stack traces, application or server errors)
  • Password policy issues, including lack of upper limit on passwords
  • Self-exploitation issues (such as self XSS, cookie reuse, self denial of service, etc)
  • XSS that requires a file to be opened in another browser tab or window
  • Attacks requiring Man-in-the-middle (MITM) or physical access to a user's device
  • Vulnerabilities affecting users of older app versions (less than two versions behind the current stable version)
  • Previously known vulnerable libraries (including prototype pollution) without a working Proof of Concept that illustrates a meaningful exploit or account compromise
  • Clickjacking issues, without a working Proof of Concept that illustrates a meaningful exploit or account compromise
  • Blind Server Side Request Forgery (SSRF), without a working Proof of Concept that illustrates a meaningful exploit or account compromise
  • UI and UX bugs (including spelling mistakes or broken links)
  • Failure to invalidate session on password reset or change
  • Vulnerabilities in existing banking functionalities (e.g., credit cards, wire transfers) that can lead to any kind of abuse
  • Use of Passwords from leaked/breached datasets such as Have I Been Pwned, LeakCheck etc.
  • Google Maps API Key
  • Theoretical vulnerabilities without actual proof of concept
  • Logout Cross-Site Request Forgery (logout CSRF)
  • Recently (less than 30 days) disclosed 0day vulnerabilities
  • Exploits that are only possible on rooted, jailbroken or otherwise modified device
  • Vulnerabilities in third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)
  • Weak CAPTCHA or CAPTCHA bypasses
  • Absence of certificate pinning
  • Any kind of sensitive data stored in app private directory
  • Any URIs leaked because a malicious app has permission to view opened URIs
  • Application crashed due to malformed URL schemes
  • Crashes due to malformed Intents sent to exported Activity/Service/Broadcast/Receive

Reports that can be considered a beg bounty will not be processed or responded to.