In Scope / Out of Scope / In Between?

Hi Everyone! I have a question. If a particular program has designated domains/subdomains (no wildcards), and explicitly puts a number of domains/subdomains out of scope - should I ignore other subdomains I find? Even if vulnerable? They aren’t explicitly out of scope, but also aren’t listed in scope.

I’ve heard people say a lot of different things on this topic. I’ve heard some people say report it anyway, others to only stay strictly within scope. Are we even allowed to enumerate targets that aren’t in scope? Any input would be greatly appreciated!

With testing, I would keep it black and white. If it says this is whats in scope, then keep your testing to that. The minute you go out of scope is where you can get into all heaps of trouble. Happy hunting!