Jan 3, 2024
Couldn't agree more :) I've found valid open redirections and subdomain takeovers and still lost points as they were listed as out of scope,
in this case their response was this being a reflected XSS, it lacked an immediate impact.
I've added a screenshot of the P5 report for clarity :)
