Knockpy (https://github.com/guelfoweb/knock) is a command-line tool for discovering subdomains. This is useful when you just have a main domain and you need to find all the applications or modules included in it. But as I mentioned before, verify the bug bounty scope; you cannot look for all subdomains in all bug bounties.