The attack surface of many organizations has grown exponentially, making them more susceptible to weaknesses. To combat this, security teams are using crowdsourced security solutions, such as bug bounty programs, which have expanded their scope to include more assets. However, when the attack surface expands but the scope remains the same, it creates a gap in coverage and grey areas for security researchers who identify issues outside of the program's scope. This can lead to ambiguity for researchers on where to report out-of-scope findings, potentially causing stressors for both parties. To alleviate this issue, organizations can consider having an expansive bounty program that includes all assets owned by the organization or running a Vulnerability Disclosure Program (VDP) in conjunction with their bug bounty, providing a clear and open scope for researchers to report security concerns. By offering bounties for all findings or implementing a VDP, organizations can encourage more active bug hunting and ensure their entire attack surface is being secured.