Out of Scope

Any domain or application not specifically listed above is considered out of scope. Third party applications and load balancers are strictly prohibited without consent.

Out of Scope Vulnerabilities

The following vulnerability classes are generally not eligible for rewards, consistent with common bug bounty program policies (HackerOne, Bugcrowd, etc.):

• Denial of Service (DoS/DDoS) or resource exhaustion attacks
• Social engineering, phishing, vishing, or physical attacks
• Self-XSS or issues requiring the victim to paste or execute attacker-supplied code
• Missing security headers (CSP, HSTS, X-Frame-Options, etc.) without a demonstrated exploit
• CSRF on non-sensitive actions or unauthenticated endpoints
• SPF/DKIM/DMARC or other email configuration issues
• SSL/TLS or certificate configuration issues without a practical attack scenario
• Open redirects without demonstrated additional security impact
• Rate limiting, brute force, or username/email enumeration without account compromise
• Clickjacking on pages with no sensitive actions or security impact
• Issues affecting only outdated, unsupported, or modified browsers
• Automated scanner output without a working proof of concept
• Vulnerabilities in third-party services, libraries, or integrations outside our control
• Best-practice or informational findings without proven security impact