# Defined Terminology

<table><thead><tr><th width="230">Term</th><th>Description</th></tr></thead><tbody><tr><td><strong>Valid</strong> </td><td>Valid reports are submissions that include real security vulnerabilities within the program’s defined scope.</td></tr><tr><td><strong>Duplicate</strong></td><td>Report containing the same valid issue, scope, and similar attack vector and impact that was previously submitted.</td></tr><tr><td><strong>Invalid</strong></td><td>A report is considered invalid if it does not describe a legitimate security vulnerability and/or represents a theoretical risk without a proper PoC.</td></tr><tr><td><strong>Out of scope</strong></td><td><p>The cases when the report is considered as out-of-scope:</p><ul><li>The bug report does not align with the overall program asset type.</li><li>The report's severity level is out of scope.</li><li>The reported vulnerability type is listed in the “Out of Scope” section.</li><li><p>The domain of the reported bug</p><ul><li>Is listed in the “Out of Scope” section;</li><li>Is not mentioned in the "Assets in Scope" section.</li></ul></li></ul></td></tr><tr><td><strong>Low-quality report</strong><br></td><td>Submission that does not meet the <a href="../../security-researchers/bug-submitting">Remedy bug reporting standards.</a></td></tr><tr><td><strong>Spam</strong></td><td>Reports that are incomprehensible, AI-generated, abusive, or exhibit harassment, as well as those attempting to sell any product or service.</td></tr></tbody></table>