Two Admin-Level API Keys Publicly Exposed for Years Dismissed as Out of Scope by Bug Bounty Programs

A research team reported two exposed credentials—a Slack Bot Token (publicly accessible for 3 years) and an Asana Admin API Key (exposed for 2 years)—to official bug bounty programs, but both were classified as "out of scope." Despite the organizations revoking the keys and conducting internal reviews, the findings remained officially unrecognized. The team proposed a 6-axis scoring framework to assess post-discovery severity, arguing that existing standards (e.g., OWASP API Top 10, CWE-798) focus on prevention rather than evaluation. The cases were scored as critical (26/30 and 24/30) under the proposed system.