HackenProof Docs
  • Welcome
    • HackenProof
      • Services we provide
      • Our resources
    • Integrations
      • Slack
      • Discord
      • Telegram
      • Zapier (Webhook)
        • Zapier -> Lark
        • Zapier -> Linear
        • Zapier -> Jira Service Management
        • Zapier -> PagerDuty
        • Zapier -> Google Chat
        • Zapier -> ClickUp
      • Jira Software
      • GitHub Issue
      • GitLab Issue
      • VDP iFrame
    • FAQ
      • Audit & Bug Bounty (BB)
      • Crowdsourced Audit & BB
      • Penetration testing & BB
    • Emergency
      • Reset 2FA
    • Code of Conduct
    • Referral Program
  • Bug Bounty
    • Bug Bounty process
    • How to start Bug Bounty
    • How to create a VDP
    • Vulnerability classification
      • Web & Mobile
        • Out-of-Scope Bugs
      • Smart contracts
      • Blockchain protocols
    • Reports Basics
      • Points Guide
      • Crafting a well-readable report
  • Dashboard
    • Company dashboard
      • Manage programs
      • Manage reports
      • Share report
      • Labels
      • E2E report encryption
      • Reports decrypting with Mailvelope
      • Users and roles
      • Program/Report Assignee
      • Replenish your balance
      • Integrations
    • Hacker dashboard
      • 👉How to start
      • Submit a report
      • Reports Basics
      • Vulnerability classification
      • 👮‍♂️KYC
      • Сreate a crypto wallet
      • 💸Withdraw bounty
      • Hacker Leaderboard
      • Reset 2FA
      • 🍕HackenProof community
      • Report ID
      • Private Program
      • Contact support
    • Company-Auditor dashboard
      • How to start
      • Add members
      • Submit report
      • Contact support
  • Crowdsourced audit
    • Audit process
    • How to start Audit
    • Supported tech
    • Vulnerability classification
    • Reports Basics
    • Qualified Auditors
    • Judging / Triaging
      • Targets
      • Team
    • [CA] Bounty Distribution Rules
    • Fee & Payments
  • DualDefense Audit
    • What is DualDefence Audit
    • General Guidelines
    • How DualDefence Audit goes
    • Contest Phases
    • Vulnerability classification
      • [DD] Smart Contracts
    • [DD] Bounty Distribution Rules
  • good to know
    • Changelog
    • Branding
    • Vulnerability Disclosure
  • Education
    • Courses
    • Tools
    • Useful sources
Powered by GitBook
On this page
  • 🖥️ Out-of-Scope — Web Applications
  • 📱 Out-of-Scope — Mobile Applications
  1. Bug Bounty
  2. Vulnerability classification
  3. Web & Mobile

Out-of-Scope Bugs

Out-of-scope bugs are issues that a security program explicitly does not accept for triage, reward, or remediation. These bugs are excluded either because they pose negligible risk, are too common or theoretical, or fall outside the domain of the responsible team.

✅ General Criteria for Out-of-Scope Bugs

  1. Low/No Security Impact Bugs that do not meaningfully impact confidentiality, integrity, or availability.

  2. Lack of Practical Exploitability Theoretical vulnerabilities that cannot be reasonably exploited in real-world scenarios.

  3. Non-production or third-party systems Issues affecting non-production environments or systems not owned/controlled by the program owner.

🖥️ Out-of-Scope — Web Applications

Category
Examples (Typically Out-of-Scope)

Best practices / Informational

Missing HttpOnly or Secure flags (unless leading to a practical exploit), missing SPF/DKIM/DMARC without impact

Rate limiting / Bruteforce

Lack of rate limiting on non-sensitive actions like search fields

Clickjacking

On pages with no sensitive functionality

Open Redirects

Without demonstrable impact like token theft or phishing

CSRF

On non-sensitive or unauthenticated endpoints

Version disclosure

Stack banners, server headers, or error messages showing version

404s / Debug Pages

Missing or overly verbose error pages without sensitive data

Mixed content

HTTP resources on HTTPS pages that don’t affect security (e.g., images)

Autocomplete enabled

Unless leading to sensitive data leakage

Clickjacking on logout pages

Considered low-risk unless session fixation/forgery is proven

Broken links in blog posts

Broken or dead hyperlinks on marketing, docs, or blog pages

Image metadata

Issues related to image metadata, such as EXIF data leakage or filename disclosure, are typically considered out of scope in bug bounty programs unless they expose sensitive user information or pose a clear security risk.


📱 Out-of-Scope — Mobile Applications

Category
Examples (Typically Out-of-Scope)

Root/Jailbreak Detection Bypass

If the app doesn't promise root/jailbreak protection explicitly

Debug Logs / Stack Traces

Unless they expose sensitive data like credentials or tokens

Insecure storage

Low-risk data stored insecurely (e.g., cache files) with no PII or auth tokens

Obfuscation / Reverse Engineering

Lack of obfuscation or repackaging protections

Code decompilation

Reporting the fact that the app can be decompiled

Permissions declared but unused

Common in many Android apps and not a security issue

Clipboard access

Unless sensitive data is copied to the clipboard

End of Life platforms

The platform/version is no longer supported.

PreviousWeb & MobileNextSmart contracts

Last updated 2 days ago