Out-of-Scope Bugs

Out-of-scope bugs are issues that a security program explicitly does not accept for triage, reward, or remediation. These bugs are excluded either because they pose negligible risk, are too common or theoretical, or fall outside the domain of the responsible team.

General Criteria for Out-of-Scope Bugs

  1. Low/No Security Impact Bugs that do not meaningfully impact confidentiality, integrity, or availability.

  2. Lack of Practical Exploitability Theoretical vulnerabilities that cannot be reasonably exploited in real-world scenarios.

  3. Non-production or third-party systems Issues affecting non-production environments or systems not owned/controlled by the program owner.

🖥️ Out-of-Scope — Web Applications

Category
Examples (Typically Out-of-Scope)

Best practices / Informational

Missing HttpOnly or Secure flags (unless leading to a practical exploit), missing SPF/DKIM/DMARC without impact

Rate limiting / Bruteforce

Lack of rate limiting on non-sensitive actions like search fields

Clickjacking / Tapjacking

On pages with no sensitive functionality

Open Redirects

Without demonstrable impact like token theft or phishing

CSRF

On non-sensitive or unauthenticated endpoints, logout CSRF

Version disclosure

Stack banners, server headers, or error messages showing version

404s / Debug Pages

Missing or overly verbose error pages without sensitive data

Mixed content

HTTP resources on HTTPS pages that don’t affect security (e.g., images)

Autocomplete enabled

Unless leading to sensitive data leakage

Clickjacking on logout pages

Considered low-risk unless session fixation/forgery is proven

Broken links

On marketing, documentation, or blog pages

Image metadata

Issues related to image metadata, such as EXIF data leakage or filename disclosure, are typically considered out of scope in bug bounty programs unless they expose sensitive user information or pose a clear security risk.

Pre-account takeover

A pre-account takeover occurs when an attacker registers or gains access to an account before the legitimate user does, often by exploiting predictable sign-up flows or reused credentials.

Host Header Injection

Without PoC demonstrating security impact

Man-in-the-Middle (MitM) Attacks

Reports requiring attacker control over network (e.g., open Wi-Fi) without impact via compromised channel

Third-Party Assets / Out of Scope Domains

Vulnerabilities in assets not owned by the company

Theoretical / Scanner Reports

Auto-generated issues, theoretical bugs without practical impact

DoS / Resource Exhaustion

Denial of Service or rate abuse without authentication bypass or security impact

Content/Text Injection

Without control over HTML/CSS or attack vector

Content Spoofing

Without embedded HTML or phishing vector

Certificate / TLS / SSL Issues

Unless leading to data interception or tampering

Public Login Panels

Without proof of vulnerability or impact

Software Outdated

Reports about outdated software/libraries without working exploit

📱 Out-of-Scope — Mobile Applications

Category
Examples (Typically Out-of-Scope)

Root/Jailbreak Detection Bypass

If the app doesn't promise root/jailbreak protection explicitly

Debug Logs / Stack Traces

Unless they expose sensitive data like credentials or tokens

Insecure storage

Low-risk data stored insecurely (e.g., cache files) with no PII or auth tokens

Obfuscation / Reverse Engineering

Lack of obfuscation or repackaging protections

Code decompilation

Reporting the fact that the app can be decompiled

Permissions declared but unused

Common in many Android apps and not a security issue

Clipboard access

Unless sensitive data is copied to the clipboard

End of Life platforms

The platform/version is no longer supported.

Rate Limit Bypass via IP/Device ID

Changing IP/device ID to bypass rate limits with no further impact

MitM/Local Attacks

Without clear proof of data manipulation or impact

PreviousWeb & MobileNextSmart contracts

Last updated