This is more of a comment than a question, but relevant to the scope discussion above -
I keep running into subdomains that fall within the advertised scope of a bounty, but are clearly out of scope (i.e. “files.company.com” = Google drive, etc.) That example is fairly obvious, but many are not.
I wish there was a process for getting the scope updated. Seems like that would be pretty easy. I did try to notify one company via a vuln write-up and received an “out of scope” reply …(oh, the irony…).
If customers don’t update their bounties, maybe we can have a forum subject to share this data with other researchers and keep us all out of trouble? Forum topic “Out of Scope Systems” (and provide the reasoning).
Food for thought.