Out-of-Scope Security Examples
These examples help researchers decide whether a finding is likely to qualify for responsible disclosure review. They are not a complete list, and we may still review reports with clear, reproducible user or platform impact.
Usually out of scope
- Actions performed by an already-authenticated authorized account owner against their own resources.
- Reports requiring possession of the reporter's own valid session without demonstrating session theft, CSRF, XSS, or a permission bypass.
- Product behavior or policy disagreements where no unauthorized access, privilege escalation, or data exposure is shown.
- Username homoglyph or confusable-character reports that assume usernames are public trust signals without showing unauthorized access, permission bypass, or data exposure.
- Username release or re-registration reports without a concrete transfer of permissions, data, ownership, account identity, or audit history.
- Similarity between user-controlled Vault branding values unless the report shows a bypass of PhotonFile reserved-branding controls or another concrete security impact.
- Automated scanner output, missing headers, or best-practice suggestions without demonstrated exploitability.
- Self-XSS or issues that only affect the reporting user's own account or browser session.
What to include instead
Strong reports show unauthorized access, cross-user or team-role permission bypass, sensitive token exposure, cryptographic key handling failure, or a reproducible way to modify data without permission.