← back to lessons

Lesson: For Web2 active-test lanes, pick programs whose ACTIVE-TEST authorization is server-rendered TEXT on the vendor's OWN domain

Date: 2026-06-11 Banked from: Web2 lane 3 (Meta Bug Bounty unauthenticated hygiene pass), following the Mozilla lane stall (passive-only because scope sat behind a JS-rendered HackerOne SPA).

The problem this fixes

The Mozilla Web2 walk dropped to passive-only because its per-asset scope + active-test authorization lived on hackerone.com/mozilla/policy_scopes, a JS-rendered SPA that WebFetch/curl cannot read as text. Most mature programs route the same way: their .well-known/security.txt Policy field points at HackerOne / Bugcrowd / Cantina, all of which serve scope via client-side JS. So security.txt alone almost never yields a quotable active-test grant.

Discovery results (2026-06-11 sweep, which security.txt Policy fields resolve to)

What DID work (the rule)

Meta Bug Bounty publishes BOTH scope and safe-harbor on its OWN server-rendered pages: - bugbounty.meta.com/scope/ -> exact in-scope domain list, readable as text. - bugbounty.meta.com/terms/ -> explicit CFAA authorization verb: "We consider these terms to provide you authorization, including under the Computer Fraud and Abuse Act (CFAA) ... to test the security of the products and systems identified as in-scope below."

That is the gold standard for this lane: vendor-self-hosted, server-rendered, contains an authorization VERB tied to a named asset list.

Operating rule for future Web2 active lanes

  1. Before committing to a program, fetch its scope/terms with curl/WebFetch and confirm you can QUOTE (a) an in-scope asset list and (b) an authorization verb ("you are authorized to test" / "we provide you authorization to test"). If either is JS-only, PIVOT - do not drop to passive by default.
  2. Quotable != authorizing. Some server-rendered programs (Uniswap/Cantina) explicitly PROHIBIT live testing. Read the prohibition list too.
  3. Best sources of text-quotable active scope, in priority order: a. Vendor self-hosted bug-bounty site with server-rendered scope+terms (Meta, Meta- class). b. Cantina/Code4rena markdown scope (but check the no-live-testing clause). c. Vendor self-hosted VDP page with a safe-harbor verb.
  4. HackerOne/Bugcrowd SPA scope = the Mozilla trap. If that is the only source, the honest call is passive-only OR pivot to a different program.

Secondary lessons banked

Generated 2026-07-02 13:15:03 UTC | auto-sync /15min