Out-of-Scope Bugs
Out-of-scope bugs are issues that a security program explicitly does not accept for triage, reward, or remediation. These bugs are excluded either because they pose negligible risk, are too common or theoretical, or fall outside the domain of the responsible team.
✅ General Criteria for Out-of-Scope Bugs
Low/No Security Impact Bugs that do not meaningfully impact confidentiality, integrity, or availability.
Lack of Practical Exploitability Theoretical vulnerabilities that cannot be reasonably exploited in real-world scenarios.
Non-production or third-party systems Issues affecting non-production environments or systems not owned/controlled by the program owner.
🖥️ Out-of-Scope — Web Applications
Best practices / Informational
Missing HttpOnly
or Secure
flags (unless leading to a practical exploit), missing SPF/DKIM/DMARC without impact
Rate limiting / Bruteforce
Lack of rate limiting on non-sensitive actions like search fields
Clickjacking
On pages with no sensitive functionality
Open Redirects
Without demonstrable impact like token theft or phishing
CSRF
On non-sensitive or unauthenticated endpoints
Version disclosure
Stack banners, server headers, or error messages showing version
404s / Debug Pages
Missing or overly verbose error pages without sensitive data
Mixed content
HTTP resources on HTTPS pages that don’t affect security (e.g., images)
Autocomplete enabled
Unless leading to sensitive data leakage
Clickjacking on logout pages
Considered low-risk unless session fixation/forgery is proven
Broken links in blog posts
Broken or dead hyperlinks on marketing, docs, or blog pages
📱 Out-of-Scope — Mobile Applications
Root/Jailbreak Detection Bypass
If the app doesn't promise root/jailbreak protection explicitly
Debug Logs / Stack Traces
Unless they expose sensitive data like credentials or tokens
Insecure storage
Low-risk data stored insecurely (e.g., cache files) with no PII or auth tokens
Obfuscation / Reverse Engineering
Lack of obfuscation or repackaging protections
Code decompilation
Reporting the fact that the app can be decompiled
Permissions declared but unused
Common in many Android apps and not a security issue
Clipboard access
Unless sensitive data is copied to the clipboard
End of Life platforms
The platform/version is no longer supported.
Last updated