[GauntletWizard]

This is a trite response to an actual concern: Placing scope limits on bug bounties is meaningless and dangerous. Hackers will not respect your scope. The scope of a bug bounty program should always be "Anything that affects our, or our users, data or security".

There's plenty of non-entities that get reported: Failures of XSS protections on data that is actually public, vulnerabilities on vendors sites that don't impact your data, etc. Those should be dealt with with a polite thank you. Everything else should be valid, and everything else should be paid. Possibly not high-tier paid. Have your security team (You don't have a security team? Make one, even if it's just the coder from your team who has the most experience) triage and report. Fix things, or don't, but don't be an asshole and try to downplay real issues.

[kbenson]

I think that oversimplifies the problem. I think a scope helps keep overeager researchers from doing things that result in legal problems for the company. For example, are laws that require notification of data breaches and personal identification triggered in certain cases? This isn't an academic setting, these are real businesses.

I think the best of both worlds would be very wide scopes with targeted limitations. Don't log into user accounts or company accounts at other services, but here's a few sample user accounts that are fair game and if it's an external service, here's a rep to vet whether credentials you gathered are correct or not.