...
Vulnerabilities in custom code developed by merchants.
Vulnerabilities in third party extensions.
Clickjacking on pages with no sensitive actions.
Vulnerabilities that require disabling security features enabled in default configurations.
Unauthenticated/logout/login CSRF.
Attacks requiring MITM or physical access to a user's device.
Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.
Vulnerabilities that require extensive or obtuse social engineering. For example, a user typing an XSS into an input field, and then submitting the form to trigger a non-persistent XSS.
Open Redirects/Forwards when leaving the site.
Missing HTTP security headers, specifically http specifically http security headers.
Reports from automated scripts or scanners (without proof of exploitation).
Account squatting by preventing users from registering with certain email addresses
Best practice reports without a valid exploit (e.g., use of "weak" TLS ciphers)
Clickjacking on pages with no sensitive actions
Comma Separated Values (CSV) injection without demonstrating a vulnerability
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Denial of service
Disclosure of server or software version numbers
Hypothetical subdomain takeovers without supporting evidence
Issues that are premised on unlikely user interaction
Missing best practices in Content Security Policy
Missing best practices in SSL/TLS configuration
Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Missing HttpOnly or Secure flags on cookies
Open redirect - unless an additional security impact can be demonstrated
Perceived security weaknesses without concrete evidence of the ability to compromise a user (e.g., missing rate limits, missing headers, etc.)
Previously known vulnerable libraries without a working Proof-of-Concept
Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis
Rate limiting or bruteforce issues on non-authentication endpoints
Reports exploiting the behavior of, or vulnerabilities in, outdated browsers
Reports of spam
Self-XSS
Session invalidation or other improved-security related to account management when a credential is already known (e.g., password reset link does not immediately expire, adding MFA does not expire other sessions, etc.)
Social engineering
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
Tabnabbing
Unconfirmed reports from automated vulnerability scanners
User/merchant enumeration
Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version)