While we welcome information about any potential issue that can affect the security of eBay or our customers, we exclude the following issues from this program unless you demonstrate that the issue can be exploited:
- SSL vulnerabilities related to configuration or version
- Denial of Service (DoS)
- User enumeration/Brute forcing (for example Login and Forgot Password page)
- Issues present only in older versions of browsers, plugins or any other software
- HTTP Trace method is enabled.
These qualify if you are able to execute an attack.
- Clickjacking on pages without any authentication and/or sensitive state changes
- Social Engineering/Phishing
- Content spoofing
- Self-XSS. Cross-site scripting issues should be exploitable in reflected, stored or DOM-based types.
- Logout and other instances of low-severity CSRF
- Missing HTTP headers
- Missing cookie flags on cookies
- Password complexity and reset password flow complexity
- Invalid or missing SPF (Sender Policy Framework) records
- Software banner / version disclosure.
These qualify if you are able to provide an exploitable POC.
- Results of automated tools or scanners
- Autocomplete attribute on web forms
- Vulnerabilities which require a jailbroken device
