Skip to main content
University of Nebraska System logo

Scope

Scope

In-Scope vulnerabilities

  • Remote Code Execution (RCE)
  • SQL injection
  • XML External Entity Injection (XXE)
  • Authorization bypass/escalation
  • Sensitive information leaks that expose private user data, credentials, or internal secrets (excluding public metadata such as software versions).
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)

Out-of-Scope vulnerabilities

1. Third-Party Software Vulnerabilities

  • Vulnerabilities in software we do not control or maintain.
  • Example: Lack of verification for account deletion in Mailman.
  • Exception: If the issue results from our misconfiguration, it may be in scope.

2. Issues That Do Not Pose a Real Risk to Users

  • Vulnerabilities without practical exploitability.
  • Examples:
    • Self-XSS requiring user interaction.
    • HTML or text injection with not significant impact.

3. Denial of Service (DoS) & Rate-Limiting Issues

  • DoS vulnerabilities, excessive requests, or missing rate limits unless explicitly in scope.
  • Example: Lack of rate limiting on login forms without a proven exploit.

4. Content Spoofing & Clickjacking

  • Clickjacking reports with no real security impact.
  • Example: Clickjacking on a static page.

5. Best Practices & Missing Security Headers

  • Reports on missing headers that do not expose sensitive data.
  • Example:
    • Lack of X-Frame-Options on an informational page.
    • CORS misconfigurations
    • Lack of Referrer-Policy header

6. Social Engineering & Phishing

  • Attacks requiring social engineering.
  • Example: Convincing support to change an account email.

7. Deprecated or Non-Operational Assets

  • Vulnerabilities in retired or inactive services.
  • Example: Outdated documentation sites.

8. Non-Exploitable Information Disclosure

  • Publicly available information without security risk.
  • Examples:
    • Exposed software version in HTTP headers.
    • Directory Listing with no sensitive files (e.g. backups, config files, scripts including credentials).
    • Exposed documents NOT including PII. Use https://services.nebraska.edu/service/security-awareness-training/personally-identifiable-information-pii as a reference.

9. Lack of Security Best Practices Without Exploitability

  • Reports suggesting security improvements without a direct exploit.
  • Example: Use of outdated libraries with no known vulnerabilities.

10. Low-Impact CSRF Issues

  • CSRF affecting non-sensitive actions.
  • Example: CSRF on profile picture update.

11. Vulnerabilities in User-Supplied Content

  • Abuse of user-generated content without security risks.
  • Example: A user posting misleading URLs.

12. Attacks Requiring Physical Access

  • Exploits requiring physical access to a device.
  • Example: Extracting credentials from an unlocked device.

13. Automated Scanner Reports Without Manual Verification

  • Reports generated solely by automated tools without proof of exploitability.
  • Example: Scanner detecting an "information disclosure" issue with no impact.

14. Lack of Email Security Features

  • Reports on missing SPF, DKIM, or DMARC unless they enable phishing attacks.
  • Example: Missing DMARC policy without phishing risk.

15. Account Enumeration on Public Interfaces

  • Username or email existence checks unless they have security consequences.
  • Example: Finding if an email exists via password reset.

16. Bugs Without Substantial or Demonstrable Security Risk

  • Any bug that does not pose a substantial or demonstrable security risk is considered out of scope.
  • Example: Cosmetic UI issues that do not affect functionality or security.

17. Public Exposure of Budgets, Salaries, or Personnel Rosters

  • Any vulnerabilities related to the public exposure of employee salaries, rosters, or similar sensitive internal information are considered out of scope, unless they result in a direct security risk.
  • Example:
    • Exposure of staff rosters or salary data on public-facing pages without proper access control mechanisms.
    • Exposure of documents not including PII.

18. Other Methods Not Authorized in 'Test Methods'

  • Any testing methods not explicitly authorized or listed in the "Test Methods" section of the bug bounty program are considered out of scope.
  • Example: Physical access to servers, social engineering, or using attacks not allowed by the program (e.g., brute forcing, exploiting third-party services, etc.).
Last update: 09/23/2025

Vulnerability Disclosure Program

COOKIE USAGE:

The University of Nebraska System uses cookies to give you the best online experience. By clicking "I Agree" and/or continuing to use this website without adjusting your browser settings, you accept the use of cookies.

PRIVACY SETTINGS