**Can someone explain the actual scope meaning **
for example may companies state out of scope NO AUTOMATION SCANNING but exactly what do they mean by this ?
Do NOT conduct non-technical attacks such as social engineering, phishing or unauthorized access to infrastructure are not allowed. Do NOT test the physical security of MasterCard offices, employees, equipment, etc. Do NOT perform any attack that could harm our services (E.g.: DDoS/Spam) Do NOT attack, in any way, our end users, or engage in trade of stolen user credentials. Do NOT use automated scanners and tools to find vulnerabilities are strictly not allowed. Do NOT Perform automated/scripted testing of web forms, especially "Contact Us" forms that are designed for customers to contact our support team. You may investigate or target vulnerabilities against your own or test accounts, but testing must not disrupt or compromise any data or data access that is not yours.
The following finding types are specifically excluded from the bounty:
Descriptive error messages (e.g. Stack Traces, application or server errors). HTTP 404 codes/pages or other HTTP non-200 codes/pages. Fingerprinting / banner disclosure on common/public services. Disclosure of known public files or directories, (e.g. robots.txt). Clickjacking and issues only exploitable through clickjacking. CSRF on forms that are available to anonymous users (e.g. the contact form). Logout Cross-Site Request Forgery (logout CSRF). Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality. Lack of Secure/HTTPOnly flags on non-sensitive Cookies. Lack of Security Speedbump when leaving the site. Weak Captcha / Captcha Bypass Forgot Password page brute force and account lockout not enforced. OPTIONS HTTP method enabled Username / email enumeration via Login Page error message via Forgot Password error message Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g. Strict-Transport-Security X-Frame-Options X-XSS-Protection X-Content-Type-Options Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP Content-Security-Policy-Report-Only SSL Issues, e.g. SSL Attacks such as BEAST, BREACH, Renegotiation attack SSL Forward secrecy not enabled SSL weak / insecure cipher suites Vulnerabilities affecting users of outdated browsers or IE < 9 Chrome < 40 Firefox < 35 Safari < 7 Opera < 13
most of the above does not allow a successful test