When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Vulnerabilities in custom code developed by merchants.

• Vulnerabilities in third party extensions.

• Clickjacking on pages with no sensitive actions.

• Vulnerabilities that require disabling security features enabled in default configurations. 

• Unauthenticated/logout/login CSRF.

• Attacks requiring MITM or physical access to a user's device.

• Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL.

• Comma Separated Values (CSV) injection without demonstrating a vulnerability.

• Missing best practices in SSL/TLS configuration.

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

• Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.

• Vulnerabilities that require extensive or obtuse social engineering. For example, a user typing an XSS into an input field, and then submitting the form to trigger a non-persistent XSS.

• Open Redirects/Forwards when leaving the site.

• Missing HTTP security headers, specifically http security headers.

• Reports from automated scripts or scanners (without proof of exploitation).