Just out of interest have you had any legal threats etc from this kind of probing if they don't have explicit bug bounty programs? Also do you ever get offered bounties in on reporting where there wasn't a program?
When I was still in university I reported a vulnerability and when the company started threatening me with legal action, my professor wrote a strongly worded email and they dropped it. Haven't had it since in 8 years. Feels like many companies understand what we do now, atleast compared to 10 years ago.