Security Researchers

Report a Problem

Program Exclusions

While we welcome information about any potential issue that can affect the security of eBay or our customers, we exclude the following issues from this program unless you demonstrate that the issue can be exploited:

  • SSL vulnerabilities related to configuration or version
  • Denial of Service (DoS)
  • User enumeration/Brute forcing (for example Login and Forgot Password page)
  • Issues present only in older versions of browsers, plugins or any other software
  • HTTP TRACE method is enabled (If you are able to execute any attack then it's acceptable)
  • Clickjacking on pages without any authentication and/or sensitive state changes
  • Social Engineering/Phishing
  • Content spoofing
  • Self-XSS.  Cross-site scripting issues should be exploitable in reflected, stored or DOM-based types.
  • Logout and other instances of low-severity CSRF
  • Missing HTTP headers
  • Missing cookie flags on cookies
  • Password complexity and reset password flow complexity
  • Invalid or missing SPF (Sender Policy Framework) records
  • Software banner / version disclosure (will qualify, if you are able to provide a POC that it is exploitable)
  • Results of automated tools or scanners
  • Autocomplete attribute on web forms
  • Vulnerabilities which require a jailbroken device