Out of Scope Vulnerabilities
All vulnerabilities that require or are related to the following are not eligible for a bug report:
- Issues related to rate limiting, brute forcing, or denial of service scenarios (including account enumeration)
- Missing best practices in SSL/TLS configuration
- Missing best practices in Content Security Policy (CSP)
- Missing security headers which don't directly lead to a vulnerability or account compromise
- Presence of common public files, such as robots.txt or files in the ".well-known" directory
- Missing DNS and email best practices (invalid, incomplete or missing DNSSEC/SPF/DKIM/DMARC records, etc)
- Information disclosure including software version disclosure, banner identification issues, descriptive error messages or headers (e.g. stack traces, application or server errors)
- Password policy issues, including lack of upper limit on passwords
- Self-exploitation issues (such as self XSS, cookie reuse, self denial of service, etc)
- XSS that requires a file to be opened in another browser tab or window
- Attacks requiring Man-in-the-middle (MITM) or physical access to a user's device
- Vulnerabilities affecting users of older app versions (less than two versions behind the current stable version)
- Previously known vulnerable libraries (including prototype pollution) without a working Proof of Concept that illustrates a meaningful exploit or account compromise
- Clickjacking issues, without a working Proof of Concept that illustrates a meaningful exploit or account compromise
- Blind Server Side Request Forgery (SSRF), without a working Proof of Concept that illustrates a meaningful exploit or account compromise
- UI and UX bugs (including spelling mistakes or broken links)
- Failure to invalidate session on password reset or change
- Vulnerabilities in existing banking functionalities (e.g., credit cards, wire transfers) that can lead to any kind of abuse
- Use of Passwords from leaked/breached datasets such as Have I Been Pwned, LeakCheck etc.
- Google Maps API Key
- Theoretical vulnerabilities without actual proof of concept
- Logout Cross-Site Request Forgery (logout CSRF)
- Recently (less than 30 days) disclosed 0day vulnerabilities
- Exploits that are only possible on rooted, jailbroken or otherwise modified device
- Vulnerabilities in third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)
- Weak CAPTCHA or CAPTCHA bypasses
- Absence of certificate pinning
- Any kind of sensitive data stored in app private directory
- Any URIs leaked because a malicious app has permission to view opened URIs
- Application crashed due to malformed URL schemes
- Crashes due to malformed Intents sent to exported Activity/Service/Broadcast/Receive
Reports that can be considered a beg bounty will not be processed or responded to.