Out-of-Scope Bugs

Out-of-scope bugs are issues that a security program explicitly does not accept for triage, reward, or remediation. These bugs are excluded either because they pose negligible risk, are too common or theoretical, or fall outside the domain of the responsible team.

✅ General Criteria for Out-of-Scope Bugs

Low/No Security Impact Bugs that do not meaningfully impact confidentiality, integrity, or availability.
Lack of Practical Exploitability Theoretical vulnerabilities that cannot be reasonably exploited in real-world scenarios.
Non-production or third-party systems Issues affecting non-production environments or systems not owned/controlled by the program owner.

🖥️ Out-of-Scope — Web Applications

Category

Examples (Typically Out-of-Scope)

Best practices / Informational

Missing HttpOnly or Secure flags (unless leading to a practical exploit), missing SPF/DKIM/DMARC without impact

Rate limiting / Bruteforce

Lack of rate limiting on non-sensitive actions like search fields

Clickjacking

On pages with no sensitive functionality

Open Redirects

Without demonstrable impact like token theft or phishing

CSRF

On non-sensitive or unauthenticated endpoints

Version disclosure

Stack banners, server headers, or error messages showing version

404s / Debug Pages

Missing or overly verbose error pages without sensitive data

Mixed content

HTTP resources on HTTPS pages that don’t affect security (e.g., images)

Autocomplete enabled

Unless leading to sensitive data leakage

Clickjacking on logout pages

Considered low-risk unless session fixation/forgery is proven

Broken links in blog posts

Broken or dead hyperlinks on marketing, docs, or blog pages

📱 Out-of-Scope — Mobile Applications

Category

Examples (Typically Out-of-Scope)

Root/Jailbreak Detection Bypass

If the app doesn't promise root/jailbreak protection explicitly

Debug Logs / Stack Traces

Unless they expose sensitive data like credentials or tokens

Insecure storage

Low-risk data stored insecurely (e.g., cache files) with no PII or auth tokens

Obfuscation / Reverse Engineering

Lack of obfuscation or repackaging protections

Code decompilation

Reporting the fact that the app can be decompiled

Permissions declared but unused

Common in many Android apps and not a security issue

Clipboard access

Unless sensitive data is copied to the clipboard

End of Life platforms

The platform/version is no longer supported.

PreviousWeb & Mobile NextSmart contracts

Last updated 6 days ago

Out-of-Scope Bugs

✅ General Criteria for Out-of-Scope Bugs

Low/No Security Impact Bugs that do not meaningfully impact confidentiality, integrity, or availability.
Lack of Practical Exploitability Theoretical vulnerabilities that cannot be reasonably exploited in real-world scenarios.
Non-production or third-party systems Issues affecting non-production environments or systems not owned/controlled by the program owner.

🖥️ Out-of-Scope — Web Applications

Category

Examples (Typically Out-of-Scope)

Best practices / Informational

Missing HttpOnly or Secure flags (unless leading to a practical exploit), missing SPF/DKIM/DMARC without impact

Rate limiting / Bruteforce

Lack of rate limiting on non-sensitive actions like search fields

Clickjacking

On pages with no sensitive functionality

Open Redirects

Without demonstrable impact like token theft or phishing

CSRF

On non-sensitive or unauthenticated endpoints

Version disclosure

Stack banners, server headers, or error messages showing version

404s / Debug Pages

Missing or overly verbose error pages without sensitive data

Mixed content

HTTP resources on HTTPS pages that don’t affect security (e.g., images)

Autocomplete enabled

Unless leading to sensitive data leakage

Clickjacking on logout pages

Considered low-risk unless session fixation/forgery is proven

Broken links in blog posts

Broken or dead hyperlinks on marketing, docs, or blog pages

📱 Out-of-Scope — Mobile Applications

Category

Examples (Typically Out-of-Scope)

Root/Jailbreak Detection Bypass

If the app doesn't promise root/jailbreak protection explicitly

Debug Logs / Stack Traces

Unless they expose sensitive data like credentials or tokens

Insecure storage

Low-risk data stored insecurely (e.g., cache files) with no PII or auth tokens

Obfuscation / Reverse Engineering

Lack of obfuscation or repackaging protections

Code decompilation

Reporting the fact that the app can be decompiled

Permissions declared but unused

Common in many Android apps and not a security issue

Clipboard access

Unless sensitive data is copied to the clipboard

End of Life platforms

The platform/version is no longer supported.

PreviousWeb & Mobile NextSmart contracts

Last updated 6 days ago