.png)
1 day ago
11 BOOK THIS SPACE FOR AD
ARTICLE AD
Before testing any targets, it is crucial to understand the importance of a scope. A scope defines the boundaries of what is authorized for testing, ensuring ethical and legal compliance. Knowing how to interpret and adhere to the scope helps avoid overstepping boundaries, protecting both the tester and the organization.
What is a scope ?
A scope in pentesting or bug bounties defines the boundaries of what can be tested. It specifies included targets (e.g., domains, IPs, or applications) and excluded areas. Understanding scope ensures testers focus on authorized assets, avoid legal issues, and provide valuable insights while protecting sensitive or out-of-scope resources.
Scope Example:
For this im going to use my custom CMS zeroscorpion.cms
In-Scope:
Website: zeroscorpion.cmsAPI: api.zeroscorpion.cms/v1/*Subdomains under *.zeroscorpion.cmsOut-of-Scope:
CDN (e.g., Content Delivery Networks)Rules:
Can register accounts.No restriction on tools used.This is a very basic scope designed for a lab environment, where there is minimal risk. However, in a production environment, the scope could include many additional rules to mitigate potential impacts. For example, certain tools may be restricted, registration limits imposed, or specific testing behaviors prohibited. Adhering strictly to the defined scope is critical to avoid unintended consequences.
My CMS is built using Bootstrap, and when the scope refers to CDNs, it specifically means the following:
<! — Bootstrap JavaScript → <script src=”https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/js/bootstrap.bundle.min.js"></script>CDNs play a key role in providing fast and reliable access to these resources while ensuring compliance with scope guidelines.
This means that the website https://cdn.jsdelivr.net is not part of the defined scope. As a result, testing or interacting with this site during your assessment is not permitted.
This is a simple example and an introduction to understanding the use of a scope. As I am still in the early stages of learning, I am not yet prepared to participate in bug bounties or registered with any bug bounty platforms. My knowledge of scopes is still very limited, and I recognize there is much more to learn. I plan to revisit and expand this post in the future as I deepen my understanding and gain experience with the requirements and intricacies of working within defined scopes.
From System Administrator to Bug Bounty Hunter: Follow the Journey! 🚀
Explore how to transition from a system administrator to a skilled bug bounty hunter. Dive into the tips, tools, and real-world examples that will guide you on this exciting journey.
To follow along with this series, visit the blog:
👉 https://zeroscorpion.net/from-system-administrator-to-bug-bounty-hunter/
Stay connected and updated:
X (formerly Twitter): @XZeroScorpionX
LinkedIn: Nathan Vincent
Ready to level up your skills? Let’s hunt some bugs! 🐞
Bengali (Bangladesh) · 
English (United States) ·