Defined Terminology

Valid

Valid reports are submissions that include real security vulnerabilities within the program’s defined scope.

Duplicate

Report containing the same valid issue, scope, and similar attack vector and impact that was previously submitted.

Invalid

A report is considered invalid if it does not describe a legitimate security vulnerability and/or represents a theoretical risk without a proper PoC.

Out of scope

The cases when the report is considered as out-of-scope:

• The bug report does not align with the overall program asset type.

• The report's severity level is out of scope.

• The reported vulnerability type is listed in the “Out of Scope” section.

• The domain of the reported bug

  • Is listed in the “Out of Scope” section;

  • Is not mentioned in the "Assets in Scope" section.

Low-quality report

Submission that does not meet the

Spam

Reports that are incomprehensible, AI-generated, abusive, or exhibit harassment, as well as those attempting to sell any product or service.