Skip to main content
University of Nebraska System logo

Scope

Scope

In-Scope vulnerabilities

  • Remote Code Execution (RCE)
  • SQL injection
  • XML External Entity Injection (XXE)
  • Authorization bypass/escalation
  • Sensitive information leaks that expose private user data, credentials, or internal secrets (excluding public metadata such as software versions).
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)

Out-of-Scope vulnerabilities

1. Third-Party Software Vulnerabilities

  • Vulnerabilities in software we do not control or maintain.
  • Example: Lack of verification for account deletion in Mailman.
  • Exception: If the issue results from our misconfiguration, it may be in scope.

2. Issues That Do Not Pose a Real Risk to Users

  • Vulnerabilities without practical exploitability.
  • Examples:
    • Self-XSS requiring user interaction.
    • HTML or text injection with not significant impact.

3. Denial of Service (DoS) & Rate-Limiting Issues

  • DoS vulnerabilities, excessive requests, or missing rate limits unless explicitly in scope.
  • Example: Lack of rate limiting on login forms without a proven exploit.

4. Content Spoofing & Clickjacking

  • Clickjacking reports with no real security impact.
  • Example: Clickjacking on a static page.

5. Best Practices & Missing Security Headers

  • Reports on missing headers that do not expose sensitive data.
  • Example:
    • Lack of X-Frame-Options on an informational page.
    • CORS misconfigurations
    • Lack of Referrer-Policy header

6. Social Engineering & Phishing

  • Attacks requiring social engineering.
  • Example: Convincing support to change an account email.

7. Deprecated or Non-Operational Assets

  • Vulnerabilities in retired or inactive services.
  • Example: Outdated documentation sites.

8. Non-Exploitable Information Disclosure

  • Publicly available information without security risk.
  • Examples:
    • Exposed software version in HTTP headers.
    • Directory Listing with no sensitive files (e.g. backups, config files, scripts including credentials).
    • Exposed documents NOT including PII. Use https://services.nebraska.edu/service/security-awareness-training/personally-identifiable-information-pii as a reference.

9. Lack of Security Best Practices Without Exploitability

  • Reports suggesting security improvements without a direct exploit.
  • Example: Use of outdated libraries with no known vulnerabilities.

10. Low-Impact CSRF Issues

  • CSRF affecting non-sensitive actions.
  • Example: CSRF on profile picture update.

11. Vulnerabilities in User-Supplied Content

  • Abuse of user-generated content without security risks.
  • Example: A user posting misleading URLs.

12. Attacks Requiring Physical Access

  • Exploits requiring physical access to a device.
  • Example: Extracting credentials from an unlocked device.

13. Automated Scanner Reports Without Manual Verification

  • Reports generated solely by automated tools without proof of exploitability.
  • Example: Scanner detecting an "information disclosure" issue with no impact.

14. Lack of Email Security Features

  • Reports on missing SPF, DKIM, or DMARC unless they enable phishing attacks.
  • Example: Missing DMARC policy without phishing risk.

15. Account Enumeration on Public Interfaces

  • Username or email existence checks unless they have security consequences.
  • Example: Finding if an email exists via password reset.

16. Bugs Without Substantial or Demonstrable Security Risk

  • Any bug that does not pose a substantial or demonstrable security risk is considered out of scope.
  • Example: Cosmetic UI issues that do not affect functionality or security.

17. Public Exposure of Budgets, Salaries, or Personnel Rosters

  • Any vulnerabilities related to the public exposure of employee salaries, rosters, or similar sensitive internal information are considered out of scope, unless they result in a direct security risk.
  • Example:
    • Exposure of staff rosters or salary data on public-facing pages without proper access control mechanisms.
    • Exposure of documents not including PII.

18. Credentials dumps

  • Credential dumps or leaked passwords found on third-party sites are out of scope for the University of Nebraska VDP. While we do not validate or process such reports as vulnerabilities, we may review them internally for security purposes.

19. Other Methods Not Authorized in 'Test Methods'

  • Any testing methods not explicitly authorized or listed in the "Test Methods" section of the bug bounty program are considered out of scope.
  • Example: Physical access to servers, social engineering, or using attacks not allowed by the program (e.g., brute forcing, exploiting third-party services, etc.).
Last update: 11/19/2025

Vulnerability Disclosure Program

COOKIE USAGE:

The University of Nebraska System uses cookies to give you the best online experience. By clicking "I Agree" and/or continuing to use this website without adjusting your browser settings, you accept the use of cookies.

PRIVACY SETTINGS