Sometimes, when doing their research and orientation, researchers will stumble upon vulnerabilities on out of scope domains.

They may choose to still disclose the vulnerability to you via the program.

Most of the time, triage will reject these submissions as out of scope. When a submission is rejected out of scope, then the researcher does NOT receive a bounty, nor reputation points and this will also negatively affect the researcher's valid ratio, which is important because the valid ratio, among other parameters, determines if researchers are invited to private programs.

However, sometimes the triage team will still send Out of scope submissions to you in case there is a clear business impact and they think you should be made aware of the issue. In that case, they will typically change the severity to "Undecided" priority and the Domain to "Out of scope" so you still have the option to accept the submission as a valid out of scope, or you can reject the submission.

Submissions which have the domain set to "other"- and are therefore out of scope, will always have the bounty set to 0. The researcher will receive reputation points though, according to the severity which is selected.

You can choose to reward the researcher with a bonus.

In case you are getting interesting findings on out of scope, you can of course consider adding them to your scope.

When in doubt, reach out to your Customer Success Manager