What do you do when a target is not explicitly mentioned as in or out of scope?? I’m specifically talking about mobile apps? Is it best to not test and assume its not in scope and potentially be missing out on exploits, Or I do I test and submit, hoping its in scope a lot of programs I noticed don’t even mention their mobile apps not specifically on bugcrowd but other platforms as well
If you find an obvious and exploitable vulnerability you should always report. If you’re not sure I would reach out to support via twitter and ask what best way to contact the security team is. Something along the lines of “Hi I found privilege escalation issue in your mobile app on android where can I report the details?” and they will answer you. However, for things that are not explicitly in scope don’t expect bounty, if they issue one take it as a bonus.
I would say you can test it at a surface level and look for glaring issues. That being said if you want to know before you research and the program is listed in BugCrowd just contact support and ask if you can test the mobile app.