Scope vulnerability reports
Vulnerabilities, within scope of this Respobsible Disclosure policy are, but not limited to:
- Injection vulnerabilities
- Broken Authentication and Session Management
- Cross Site Scripting (XSS)
- Remote Code Execution
- Insecure Direct Object Reference
- Sensitive Data Exposure
- Security Misconfiguration
- Missing Function Level Access Control
- Using Components with Known Vulnerabilities
- Unvalidated Redirects and Forwards
- Directory/Path transversal
- Exposed credentials
Vulnerabilities, out-of-scope of this Respobsible Disclosure policy are, but not limited to:
- Account enumeration using brute-force attacks
- Cross-Site Request Forgery
- Weak password policies and password complexity requirements
- Missing http security headers which do not lead to a vulnerability
- Clickjacking on static websites
- Reports from automated tools or scans
- Vulnerabilities affecting users of outdated browsers
- Presence of autocomplete attribute on web forms
- Missing cookie flags on non-sensitive cookies
- Reports of SSL issues, best practices or insecure ciphers
- Incomplete or missing SPF/DMARC/DKIM records
- Self-exploitation attacks
- Social Engineering attacks
- Test versions of applications
- Mail configuration issues including SPF, DKIM, DMARC settings
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Rate limiting or bruteforce issues on non-authentication endpoints
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Tabnabbing
- Open redirect - unless an additional security impact can be demonstrated
- Issues that require unlikely user interaction