Skip to content

Instantly share code, notes, and snippets.

@irfnrdh

irfnrdh/Non-qualifying vulnerabilities.md

Created May 21, 2025 05:22
Show Gist options
  • Save irfnrdh/ea4cea8897d0c88fd1fb84e766a726bc to your computer and use it in GitHub Desktop.
Save irfnrdh/ea4cea8897d0c88fd1fb84e766a726bc to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Non-qualifying vulnerabilities.md

❌ Non-Qualifying Vulnerabilities

Unless explicitly stated, the following issues are not eligible for rewards unless they lead to serious data leaks or security impact with a working Proof-of-Concept (PoC).

πŸ”’ Authentication & Session Issues

  • CSRF on unauthenticated forms or forms with no sensitive actions
  • Account enumeration (via login, registration, or password reset)
  • Session timeout or lack of automatic logout
  • Session hijacking via cookie reuse (without method to obtain the cookie)
  • Autocomplete enabled on login fields
  • Weak password policy (unless combined with brute-force or no rate-limiting)
  • Missing email verification (unless it leads to abuse or escalation)
  • Self-XSS (requires user interaction in their own browser)
  • Lack of account lockout after multiple failed login attempts

🌐 Web Misconfigurations & Behavior

  • Click-jacking
  • Open redirect without clear impact (e.g., no credential theft or token leakage)
  • Missing or misconfigured HTTP headers (e.g., X-Frame-Options, X-Content-Type-Options)
  • Missing HttpOnly, Secure, or SameSite cookie flags
  • Missing Content Security Policy (CSP) header (unless exploitable)
  • CORS misconfiguration without sensitive data exposure
  • Host header injection without demonstrable impact
  • Error messages or stack traces without sensitive data
  • Directory listing without exposing sensitive files
  • Misconfigured robots.txt file

🧱 Infrastructure & Network

  • SSL/TLS best practices (e.g., use of TLS 1.0 or weak ciphers)
  • Disclosure of server software versions (Apache, Nginx, PHP, etc.)
  • Exposure of internal IPs or non-sensitive infrastructure information
  • DKIM, SPF, or DMARC configuration issues
  • DNS misconfigurations without takeover (e.g., dangling CNAME)
  • Subdomain takeover on inactive subdomains without business impact

⚠️ Abuse, Traffic & Rate Limiting

  • Denial of Service (DoS) or brute-force attempts
  • Lack of rate limiting (without actual abuse or bypass)
  • Use of automated tools or scanners to generate large volumes of traffic
  • Downloading of public videos or other static resources
  • Abuse of confirmation/resend email functionality

🧠 Theoretical or Informational

  • Hypothetical flaws or suggestions without an exploitable Proof-of-Concept
  • Use of outdated or vulnerable libraries (unless exploitable)
  • Exposure of public-facing JavaScript source code
  • Disclosure of technology stacks or frameworks (e.g., React, jQuery, WordPress)
  • Cached information in search engines or the Wayback Machine

🧍 Human-Related or Out-of-Scope

  • Physical attacks against offices or data centers
  • Social engineering of employees, service desk, or contractors
  • Compromise of user accounts not due to platform vulnerabilities
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment