# Out-of-Scope Bugs
**Out-of-scope bugs** are issues that a security program **explicitly does not accept for triage, reward, or remediation**. These bugs are **excluded** either because they pose negligible risk, are too common or theoretical, or fall outside the domain of the responsible team.
#### β
**General Criteria for Out-of-Scope Bugs**
1. **Low/No Security Impact**\
Bugs that do not meaningfully impact confidentiality, integrity, or availability.
2. **Lack of Practical Exploitability**\
Theoretical vulnerabilities that cannot be reasonably exploited in real-world scenarios.
3. **Non-production or third-party systems**\
Issues affecting non-production environments or systems not owned/controlled by the program owner.
### π₯οΈ **Out-of-Scope β Web Applications**
| Category | Examples (Typically Out-of-Scope) |
| ------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Best practices / Informational** | Missing `HttpOnly` or `Secure` flags (unless leading to a practical exploit), missing SPF/DKIM/DMARC without impact |
| **Rate limiting / Bruteforce** | Lack of rate limiting on non-sensitive actions like search fields |
| **Clickjacking / Tapjacking** | On pages with no sensitive functionality |
| **Open Redirects** | Without demonstrable impact like token theft or phishing |
| **CSRF** | On non-sensitive or unauthenticated endpoints, logout CSRF |
| **Version disclosure** | Stack banners, server headers, or error messages showing version |
| **404s / Debug Pages** | Missing or overly verbose error pages without sensitive data |
| **Mixed content** | HTTP resources on HTTPS pages that donβt affect security (e.g., images) |
| **Autocomplete enabled** | Unless leading to sensitive data leakage |
| **Clickjacking on logout pages** | Considered low-risk unless session fixation/forgery is proven |
| **Broken links** | On marketing, documentation, or blog pages |
| **Image metadata** | Issues related to image metadata, such as EXIF data leakage or filename disclosure, are typically considered out of scope in bug bounty programs unless they expose sensitive user information or pose a clear security risk. |
| **Pre-account takeover** | A pre-account takeover occurs when an attacker registers or gains access to an account *before* the legitimate user does, often by exploiting predictable sign-up flows or reused credentials. |
| **Host Header Injection** | Without PoC demonstrating security impact |
| **Man-in-the-Middle (MitM) Attacks** | Reports requiring attacker control over network (e.g., open Wi-Fi) without impact via compromised channel |
| **Third-Party Assets / Out of Scope Domains** | Vulnerabilities in assets not owned by the company |
| **Theoretical / Scanner Reports** | Auto-generated issues, theoretical bugs without practical impact |
| **DoS / Resource Exhaustion** | Denial of Service or rate abuse without authentication bypass or security impact |
| **Content/Text Injection** | Without control over HTML/CSS or attack vector |
| **Content Spoofing** | Without embedded HTML or phishing vector |
| **Certificate / TLS / SSL Issues** | Unless leading to data interception or tampering |
| **Public Login Panels** | Without proof of vulnerability or impact |
| **Software Outdated** | Reports about outdated software/libraries without working exploit |
| **Session Fixation** | Session fixation without a demonstrated impact such as privilege escalation or account takeover |
| 0day/1day vulnerabilities
| Recently (less than 30 days) disclosed vulnerabilities
|
| **CORS issues** | CORS misconfigurations without practical proof of concept demonstrating successful extraction of credentials or sensitive data from an attacker-controlled domain |
***
### π± **Out-of-Scope β Mobile Applications**
| Category | Examples (Typically Out-of-Scope) |
| -------------------------------------- | ------------------------------------------------------------------------------ |
| **Root/Jailbreak Detection Bypass** | If the app doesn't promise root/jailbreak protection explicitly |
| **Debug Logs / Stack Traces** | Unless they expose sensitive data like credentials or tokens |
| **Insecure storage** | Low-risk data stored insecurely (e.g., cache files) with no PII or auth tokens |
| **Obfuscation / Reverse Engineering** | Lack of obfuscation or repackaging protections |
| **Code decompilation** | Reporting the fact that the app can be decompiled |
| **Permissions declared but unused** | Common in many Android apps and not a security issue |
| **Clipboard access** | Unless sensitive data is copied to the clipboard |
| **End of Life platforms** | The platform/version is no longer supported. |
| **Rate Limit Bypass via IP/Device ID** | Changing IP/device ID to bypass rate limits with no further impact |
| **MitM/Local Attacks** | Without clear proof of data manipulation or impact |