Created
May 21, 2025 05:22
-
-
Save irfnrdh/ea4cea8897d0c88fd1fb84e766a726bc to your computer and use it in GitHub Desktop.
Revisions
-
irfnrdh revised this gist
May 21, 2025 . 1 changed file with 0 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -14,8 +14,6 @@ Unless explicitly stated, the following issues are **not eligible for rewards** - Self-XSS (requires user interaction in their own browser) - Lack of account lockout after multiple failed login attempts ## 🌐 Web Misconfigurations & Behavior - Click-jacking -
May 21, 2025 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,61 @@ # ❌ Non-Qualifying Vulnerabilities Unless explicitly stated, the following issues are **not eligible for rewards** unless they lead to **serious data leaks or security impact** with a working Proof-of-Concept (PoC). ## 🔒 Authentication & Session Issues - CSRF on unauthenticated forms or forms with no sensitive actions - Account enumeration (via login, registration, or password reset) - Session timeout or lack of automatic logout - Session hijacking via cookie reuse (without method to obtain the cookie) - Autocomplete enabled on login fields - Weak password policy (unless combined with brute-force or no rate-limiting) - Missing email verification (unless it leads to abuse or escalation) - Self-XSS (requires user interaction in their own browser) - Lack of account lockout after multiple failed login attempts --- ## 🌐 Web Misconfigurations & Behavior - Click-jacking - Open redirect without clear impact (e.g., no credential theft or token leakage) - Missing or misconfigured HTTP headers (e.g., X-Frame-Options, X-Content-Type-Options) - Missing `HttpOnly`, `Secure`, or `SameSite` cookie flags - Missing Content Security Policy (CSP) header (unless exploitable) - CORS misconfiguration without sensitive data exposure - Host header injection without demonstrable impact - Error messages or stack traces without sensitive data - Directory listing without exposing sensitive files - Misconfigured `robots.txt` file ## 🧱 Infrastructure & Network - SSL/TLS best practices (e.g., use of TLS 1.0 or weak ciphers) - Disclosure of server software versions (Apache, Nginx, PHP, etc.) - Exposure of internal IPs or non-sensitive infrastructure information - DKIM, SPF, or DMARC configuration issues - DNS misconfigurations without takeover (e.g., dangling CNAME) - Subdomain takeover on inactive subdomains without business impact ## ⚠️ Abuse, Traffic & Rate Limiting - Denial of Service (DoS) or brute-force attempts - Lack of rate limiting (without actual abuse or bypass) - Use of automated tools or scanners to generate large volumes of traffic - Downloading of public videos or other static resources - Abuse of confirmation/resend email functionality ## 🧠 Theoretical or Informational - Hypothetical flaws or suggestions without an exploitable Proof-of-Concept - Use of outdated or vulnerable libraries (unless exploitable) - Exposure of public-facing JavaScript source code - Disclosure of technology stacks or frameworks (e.g., React, jQuery, WordPress) - Cached information in search engines or the Wayback Machine ## 🧍 Human-Related or Out-of-Scope - Physical attacks against offices or data centers - Social engineering of employees, service desk, or contractors - Compromise of user accounts not due to platform vulnerabilities