Out-of-Scope Security Examples
These examples help researchers decide whether a finding is likely to qualify for responsible disclosure review. They are not a complete list, and we may still review reports with clear, reproducible user or platform impact.
Usually out of scope
- Actions performed by an already-authenticated authorized account owner against their own resources.
- Reports requiring possession of the reporter's own valid session without demonstrating session theft, CSRF, XSS, or a permission bypass.
- Product behavior or policy disagreements where no unauthorized access, privilege escalation, or data exposure is shown.
- Automated scanner output, missing headers, or best-practice suggestions without demonstrated exploitability.
- Self-XSS or issues that only affect the reporting user's own account or browser session.
What to include instead
Strong reports show unauthorized access, cross-user or team-role permission bypass, sensitive token exposure, cryptographic key handling failure, or a reproducible way to modify data without permission.