Reading the scope of the bug bounty is probably the most important thing you should do before even looking at the program's website. It will be really frustrating when you spend a week looking for vulnerabilities in a bug bounty program only to find out that the domain that you tested is not included in the scope. The conventional scope of a bug bounty program contains the following bits of information:
- Mission statement
- Participating services
- Excluded domains
- Rewards and qualifications
- Eligibility for participation
- Conduct guidelines
- Nonqualifying vulnerabilities
- Commitment to researchers