Here's a list of all Bugcrowd's standard exclusions as well as a link to Bugcrowd's standard disclosure policy (ours is explicit permission as opposed to 90 days). Hope this is helpful :-)
STANDARD EXCLUSIONS:
The following finding types are specifically excluded from the bounty:
Descriptive error messages (e.g. Stack Traces, application or server errors).
HTTP 404 codes/pages or other HTTP non-200 codes/pages.
Fingerprinting / banner disclosure on common/public services.
Disclosure of known public files or directories, (e.g. robots.txt).
Clickjacking and issues only exploitable through clickjacking.
CSRF on forms that are available to anonymous users (e.g. the contact form).
Logout Cross-Site Request Forgery (logout CSRF).
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
Lack of Security Speedbump when leaving the site.
Weak Captcha / Captcha Bypass
Forgot Password page brute force and account lockout not enforced.
Here's a list of all Bugcrowd's standard exclusions as well as a link to Bugcrowd's standard disclosure policy (ours is explicit permission as opposed to 90 days). Hope this is helpful :-)
STANDARD EXCLUSIONS: The following finding types are specifically excluded from the bounty:
[Mobile optional]
Out of Scope bugs for Android apps
Out of Scope bugs for iOS apps
BUGCROWD STANDARD DISCLOSURE POLICY https://bugcrowd.com/resources/standard-disclosure-terms