disabled_by_defaultOut Of Scope
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.
The following issues are considered out of scope:
- Clickjacking on pages with no sensitive actions
- Social Engineering. For example, attempts to steal cookies, fake login pages to collect credentials
- Phishing
- Resource Exhaustion Attacks
- Attacks requiring MITM or physical access to a user's device.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without mentioning an attack vector/without being able to modify HTML/CSS
- Attempting to compromise our endpoints by brute forcing.
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Tabnabbing
- Issues that require unlikely user interaction