HackenProof is a Bug Bounty and Vulnerability Coordination Platform. We connect our customers with the global hacker community to uncover security issues in their products. By running custom-tailored bug bounty programs we help our customers significantly reduce the risk of losing their data to cybercriminals.
Out of scope
We are interested in next web vulnerabilities:
- Business Logic
- Remote code execution (RCE)
- Database vulnerability, SQLi
- Cross Site Scripting (XSS)
- Privilege escalation
- Sensitive data exposure (IDOR, etc.)
- Authentication bypass
- Obtaining sensitive information
- Password attacks
- Cross-Site Request Forgery (CSRF)
- Server Side Request Forgery (SSRF)
In general, the following vulnerabilities do not correspond to the severity threshold:
- Known problems: 2FA session issues
- UI and UX bugs and spelling or localization mistakes.
- Descriptive error messages (e.g. Stack Traces, application or server errors)
- Open redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing auth tokens, we do still want to hear about them
- Vulnerabilities in third-party applications
- Publicly accessible login panels without proof of exploitation.
- Reports that state that software is out of date/vulnerable without a proof of concept.
- Host header issues without proof-of-concept demonstrating the vulnerability.
- HTTP codes/pages or other HTTP non-codes/pages.
- Fingerprinting/banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking/Tapjacking and issues only exploitable through clickjacking/tapjacking.
- CSRF in forms that are available to anonymous users (e.g. the contact form).
- Login & Logout CSRF
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure/HTTPOnly flags on non-security-sensitive Cookies.
- OPTIONS HTTP method enabled
- Lack of Security Speed bump when leaving the site.
- Weak Captcha
- Content injection issues.
- HTTPS Mixed Content Scripts
- Content Spoofing without embedded links/html
- Reflected File Download (RFD).
- Best practices concerns.
- Highly speculative reports about theoretical damage. Be concrete.
- Missing HTTP security headers, specifically, For e.g.
- Host Header
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
- Infrastructure vulnerabilities, including:
- Certificates/TLS/SSL related issues
- DNS issues (i.e. mx records, SPF records, etc.)
- Server configuration issues (i.e., open ports, TLS, etc.)
- Outdated web browsers: vulnerabilities contingent upon outdated or unpatched browsers will not be honored, including Internet Explorer all versions
- Vulnerabilities involving active content such as web browser add-ons
- XSS issues that affect only outdated browsers (like Internet Explorer)
- Issues that require physical access to a victim’s computer.
- Physical or social engineering attempts (this includes phishing attacks against employees).
- Recently disclosed 0day vulnerabilities.
- Microsites with little to no user data
- Most brute forcing issues
- Denial of service
- Avoid compromising any personal data, interruption or degradation of any service .
- Don’t access or modify other user data, localize all tests to your accounts.
- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam.
- In case you find chain vulnerabilities we pay only for vulnerability with the highest severity.
- Only the first valid bug is eligible for reward.
- Don’t disclose publicly any vulnerability until you are granted permission to do so.
- Don’t break any law and stay in the defined scope.
- Comply with the rules of the program.
- Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission.