<aside> 🌐 https://artifex.com/bug-bounty-out-of-scope

</aside>

The following lists out of scope items which we won't consider for bug reports:

Web and email security

• Attacks requiring physical access to the victim's computer, including employee computer compromise
• Man-in-the-middle attacks
• Social engineering, phishing, or other fraud including but not limited to: internationalized domain name (IDN) homograph attacks, Right-to-left (RTL) Ambiguity, RTL Override (RTLO), SPF and DKIM issues, HTML content injection, Tabnabbing
• Missing Security Headers (eg. HSTS, CSP) and Missing Secure Flags on Cookies
• CSRF without any security impact
• Rate limiting and XSS attacks ( we are aware of these )
• DMARC protection and email spoofing attacks

<aside> ⚠️ There will be no bug bounties or letters of appreciation. People that repeatedly report bugs in these areas in defiance of this list will be excluded from consideration for all future possible bug bounties or letters of appreciation. Furthermore user accounts from Bugzilla may be removed at our discretion.

</aside>