We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at iwantmyname. Every day new security issues and attack vectors are created. iwantmyname strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure and privacy enhanced world.
Out of scope
Please read and follow the rules in the Standard Disclosure Terms.
TLDR: we can run these automated scans too - please only report things that are actually vulnerable in some way: e.g. openssh/2200 without password auth is not a vuln, dns/53 that returns REFUSED the same, http/80 with a redirect to https isn't either.
The following finding types are specifically excluded from the bounty:
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- Self-XSS and issues exploitable only through Self-XSS.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password’
- Findings derived from SSL settings (e.g. BREACH attack, insecure SSL ciphers enabled).
- Lack of Secure and HTTPOnly cookie flags.
- Lack of Security Speedbump when leaving the site.
- copy-pasta results from open port scans without subsequent investigation.
- other similar low value/low effort skrypt k1dd13 checks.