A frequent question that I hear from bug bounty hunters is whether their finding is a valid issue and if they should report it. This tool will check the contents of your report against a list of keywords commonly associated with invalid reports and determine whether you should submit your report or not.
This is the notorious Hall of N/A — a list of issues that are usually not accepted by bug bounty programs.
|Network-level Denial of Service (DoS/DDoS) vulnerabilities||Most bug bounty programs, if not all programs, do not want you to disrupt any of their services. On top of that, to be honest with you, if someone really wants to take down a service they will always find a way.|
|Missing security headers||These low severity issues can easily be detected with tools such as Hardenize and Security Headers.|
|Content injection||The severity of this issue is so low that it does not warrant a report.|
|Logout CSRF||In order for CSRF to be a valid issue it must affect some important action such as deleting one's account.|
|Missing cookie flags on non-security-sensitive cookies||These type of issues do not present a major risk and are usually picked up by scanners.|
|401 injection||With this issue type it really depends on the program. Check previous reports to the program you plan on reporting 401 injection to and see if they have accepted 401 injection in the past.|
|Banner grabbing issues (figuring out what web server the company is using)||Without a detailed proof of concept, most programs will not accept these type of reports.|