Bug bounty companies be like “We are not interested in bugs in things that aren’t our products. Unless you can non-destructively prove RCE exists in our stuff. Then we demand an WAF bypass, even though that’s actually another company’s code.”