If you aren’t familiar with ethical hacking, also known as security research then please read this paragraph. When you do security research for a client they can give you a scope, or in other words areas they don’t want you to test. I have been very vocal about how creating a scope makes a site more vulnerable and a bigger target. I was wrong to some extent and I am willing to admit that and explain it to anyone else who hates scopes that customers have.
When is a scope wrong?
Customers can design the scope on their own without help, however sometimes they don’t know what they’re doing or they want to save money so they put the most critical things out of scope. What I am going to say next is slightly odd, but I’ll say it anyways. A scope needs to exist and while I still agree that areas not in scope are the most vulnerable you have to think about what area has the most sensitive information. Sure, you can point out how you could get to those areas from the out of scope areas, but doing any security at all is something that we must realize is a big step for companies.
If a company wants to protect their data then it makes sense to start where that sensitive data is stored and then work towards the areas that don’t store sensitive data. If a customer puts an area with sensitive information out of scope then there is a major problem. If you report issues in that area and they are denied due to the scope, you have an even worse problem. At this point it starts looking like the company doesn’t really care about security and rather wants to give the impression to clients that they do. This is where the argument over scope comes in the most and while I’ve never heard anyone explain it this way, it makes the most sense.
So to wrap things up a scope is fine if it includes all sensitive data, but a scope isn’t good if it excludes sensitive data.