I'll be posting tips an tricks from my bug hunting methodology here on the forums over the next few weeks =)
Subdomains and Finding fresh in-scope Targets:
For the subdomain tools, its not really the script I care about, more the list. I usually cat > unique all of the major ones (fierce, subbrute,subdomainer, knock, etc, etc) into a list and use a tool that can take custom lists. Dont miss out on recon-ng either, using its Baidu, Google, Netcraft, and Shodan search modules to find subdomains. I wrote a wrapper script for this here:
Another Tip, don't forget port scanning on your targets. I see web hunters get to caught up in the application and forget some of these subdomains are redirects to entirely different boxes, and then miss very cool network level vulns. Keep your eye and ear to the Metasplolit community and what modules are new and exciting there, especially ones pertaining to internet facing services.
Keep checking back at targets who do not have a mobile version of the site, and when they add one (and if it is covered in the scope) test it thoroughly. In my experience mobile sites designed around phone viewing are rife with XSS, CSRF, etc, etc. A lot of the time they even lack security controls that the main site might use in favor of speed.
Now, for bug hunting in general, not just Bugcrowd or 3rd party hosted bounties, you want to watch Twitter and Wikipedia for acquisitions. Every acquisition brings in a plethora of new targets that could be covered under the bounty program. Make sure to check the bounty program though, some have a restriction to how soon these sites can be tested.