Exclusions

Owned by Rico Neitzel
Last updated: Oct 04, 2022
2 min read

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Vulnerabilities in custom code developed by merchants.

  • Vulnerabilities in third party extensions.

  • Vulnerabilities that require disabling security features enabled in default configurations.

  • Unauthenticated/logout/login CSRF.

  • Attacks requiring MITM or physical access to a user's device.

  • Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL.

  • Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.

  • Vulnerabilities that require extensive or obtuse social engineering. For example, a user typing an XSS into an input field, and then submitting the form to trigger a non-persistent XSS.

  • Open Redirects/Forwards when leaving the site.

  • Missing HTTP security headers, specifically http security headers.

  • Reports from automated scripts or scanners (without proof of exploitation).

  • Account squatting by preventing users from registering with certain email addresses

  • Best practice reports without a valid exploit (e.g., use of "weak" TLS ciphers)

  • Clickjacking on pages with no sensitive actions

  • Comma Separated Values (CSV) injection without demonstrating a vulnerability

  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

  • Denial of service

  • Disclosure of server or software version numbers

  • Hypothetical subdomain takeovers without supporting evidence

  • Issues that are premised on unlikely user interaction

  • Missing best practices in Content Security Policy

  • Missing best practices in SSL/TLS configuration

  • Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

  • Missing HttpOnly or Secure flags on cookies

  • Open redirect - unless an additional security impact can be demonstrated

  • Perceived security weaknesses without concrete evidence of the ability to compromise a user (e.g., missing rate limits, missing headers, etc.)

  • Previously known vulnerable libraries without a working Proof-of-Concept

  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis

  • Rate limiting or bruteforce issues on non-authentication endpoints

  • Reports exploiting the behavior of, or vulnerabilities in, outdated browsers

  • Reports of spam

  • Self-XSS

  • Session invalidation or other improved-security related to account management when a credential is already known (e.g., password reset link does not immediately expire, adding MFA does not expire other sessions, etc.)

  • Social engineering

  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)

  • Tabnabbing

  • Unconfirmed reports from automated vulnerability scanners

  • User/merchant enumeration

  • Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version)