Bugcrowd Standard Exclusions

[gmcquaid2010]

Here's a list of all Bugcrowd's standard exclusions as well as a link to Bugcrowd's standard disclosure policy (ours is explicit permission as opposed to 90 days). Hope this is helpful :-)

STANDARD EXCLUSIONS: The following finding types are specifically excluded from the bounty:

• Descriptive error messages (e.g. Stack Traces, application or server errors).
• HTTP 404 codes/pages or other HTTP non-200 codes/pages.
• Fingerprinting / banner disclosure on common/public services.
• Disclosure of known public files or directories, (e.g. robots.txt).
• Clickjacking and issues only exploitable through clickjacking.
• CSRF on forms that are available to anonymous users (e.g. the contact form).
• Logout Cross-Site Request Forgery (logout CSRF).
• Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
• Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
• Lack of Security Speedbump when leaving the site.
• Weak Captcha / Captcha Bypass
• Forgot Password page brute force and account lockout not enforced.
• OPTIONS HTTP method enabled
• Username / email enumeration
• via Login Page error message
• via Forgot Password error message
• Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
  • Strict-Transport-Security
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
  • Content-Security-Policy-Report-Only
• SSL Issues, e.g.
• SSL Attacks such as BEAST, BREACH, Renegotiation attack
• SSL Forward secrecy not enabled
• SSL weak / insecure cipher suites

[Mobile optional]

Out of Scope bugs for Android apps

• Shared links leaked through the system clipboard.
• Any URIs leaked because a malicious app has permission to view URIs opened
• Absence of certificate pinning
• Sensitive data in URLs/request bodies when protected by TLS
• User data stored unencrypted on external storage
• Lack of obfuscation is out of scope
• oauth "app secret" hard-coded/recoverable in apk
• Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)
• Any kind of sensitive data stored in app private directory
• Lack of binary protection control in android app

  Out of Scope bugs for iOS apps

• Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries
• Absence of certificate pinning
• Path disclosure in the binary
• User data stored unencrypted on the file system
• Lack of obfuscation is out of scope
• Lack of jailbreak detection is out of scope
• oauth "app secret" hard-coded/recoverable in apk
• Crashes due to malformed URL Schemes
• Lack of binary protection (anti-debugging) controls
• Snapshot/Pasteboard leakage
• Runtime hacking exploits (exploits only possible in a jailbroken environment)

BUGCROWD STANDARD DISCLOSURE POLICY https://bugcrowd.com/resources/standard-disclosure-terms