Scope

In-Scope Vulnerabilities

Remote Code Execution (RCE)
SQL injection
XML External Entity Injection (XXE)
Authorization bypass/escalation
Sensitive information leaks that expose private user data, credentials, or internal secrets (excluding public metadata such as software versions).
Cross-site scripting (XSS)
Cross-site request forgery (CSRF)
Authoritative DNS zone transfers (AXFR) are in‑scope; severity depends on exposure of sensitive/internal records.

Out-of-Scope Vulnerabilities

1. Third-Party Software Vulnerabilities

Vulnerabilities in software we do not control or maintain.
Example: Lack of verification for account deletion in Mailman.
Exception: If the issue results from our misconfiguration, it may be in scope.

2. Issues That Do Not Pose a Real Risk to Users

Vulnerabilities without practical exploitability.
Examples:
- Self-XSS requiring user interaction.
- HTML or text injection with not significant impact.

3. Denial of Service (DoS) & Rate-Limiting Issues

DoS vulnerabilities, excessive requests, or missing rate limits unless explicitly in scope.
Example: Lack of rate limiting on login forms without a proven exploit.

4. Content Spoofing & Clickjacking

Clickjacking reports with no real security impact.
Example: Clickjacking on a static page.

5. Best Practices & Missing Security Headers

Reports on missing headers that do not expose sensitive data.
Example:
- Lack of X-Frame-Options on an informational page.
- CORS misconfigurations
- Lack of Referrer-Policy header

6. Social Engineering & Phishing

Attacks requiring social engineering.
Example: Convincing support to change an account email.

7. Deprecated or Non-Operational Assets

Vulnerabilities in retired or inactive services.
Example: Outdated documentation sites.

8. Non-Exploitable Information Disclosure

Publicly available information without security risk.
Examples:
- Exposed software version in HTTP headers.
- Directory Listing with no sensitive files (e.g. backups, config files, scripts including credentials).
- Exposed documents NOT including PII. Use https://services.nebraska.edu/service/security-awareness-training/personally-identifiable-information-pii as a reference.
- WebAudit (webaudit.unl.edu) scans only public content; reports based solely on its results are out of scope absent an authentication or access-control bypass.

9. Lack of Security Best Practices Without Exploitability

Reports suggesting security improvements without a direct exploit.
Example: Use of outdated libraries with no known vulnerabilities.

10. Low-Impact CSRF Issues

CSRF affecting non-sensitive actions.
Example: CSRF on profile picture update.

11. Vulnerabilities in User-Supplied Content

Abuse of user-generated content without security risks.
Example: A user posting misleading URLs.

12. Attacks Requiring Physical Access

Exploits requiring physical access to a device.
Example: Extracting credentials from an unlocked device.

13. Automated Scanner Reports Without Manual Verification

Reports generated solely by automated tools without proof of exploitability.
Example: Scanner detecting an "information disclosure" issue with no impact.

14. Lack of Email Security Features

Reports on missing SPF, DKIM, or DMARC unless they enable phishing attacks.
Example: Missing DMARC policy without phishing risk.

15. Account Enumeration on Public Interfaces

Username or email existence checks unless they have security consequences.
Example: Finding if an email exists via password reset.

16. Bugs Without Substantial or Demonstrable Security Risk

Any bug that does not pose a substantial or demonstrable security risk is considered out of scope.
Example: Cosmetic UI issues that do not affect functionality or security.

17. Public Exposure of Budgets, Salaries, or Personnel Rosters

Any vulnerabilities related to the public exposure of employee salaries, rosters, or similar sensitive internal information are considered out of scope, unless they result in a direct security risk.
Example:
- Exposure of staff rosters or salary data on public-facing pages without proper access control mechanisms.
- Exposure of documents not including PII.

18. Credentials dumps

Credential dumps or leaked passwords found on third-party sites are out of scope for the University of Nebraska VDP. While we do not validate or process such reports as vulnerabilities, we may review them internally for security purposes.

19. Other Methods Not Authorized in 'Test Methods'

Any testing methods not explicitly authorized or listed in the "Test Methods" section of the bug bounty program are considered out of scope.
Example: Physical access to servers, social engineering, or using attacks not allowed by the program (e.g., brute forcing, exploiting third-party services, etc.).

Last update: 01/15/2026

VDP Scope

In-Scope Vulnerabilities

Out-of-Scope Vulnerabilities

1. Third-Party Software Vulnerabilities

2. Issues That Do Not Pose a Real Risk to Users

3. Denial of Service (DoS) & Rate-Limiting Issues

4. Content Spoofing & Clickjacking

5. Best Practices & Missing Security Headers

6. Social Engineering & Phishing

7. Deprecated or Non-Operational Assets

8. Non-Exploitable Information Disclosure

9. Lack of Security Best Practices Without Exploitability

10. Low-Impact CSRF Issues

11. Vulnerabilities in User-Supplied Content

12. Attacks Requiring Physical Access

13. Automated Scanner Reports Without Manual Verification

14. Lack of Email Security Features

15. Account Enumeration on Public Interfaces

16. Bugs Without Substantial or Demonstrable Security Risk

17. Public Exposure of Budgets, Salaries, or Personnel Rosters

18. Credentials dumps

19. Other Methods Not Authorized in 'Test Methods'

Vulnerability Disclosure Program

Vulnerability Disclosure Program