— By apex domains, I mean wildcard domains, which have subdomains wildcard defined in scope. For example, *.target.com.

— I hunt only on BBP, since I don't believe in VDPs. Karma points are not worth my time. I want to get awarded for my efforts, especially when I spend some money on server resources.

— To have fewer dupes, it's recommended to participate in a private program. All in all, treat this write-up as an example from which you could improve your own automation. This is not an only way to hack. Many endpoints employ WAFs, so you have to do your research on newest ways to bypass it. Also, you could check POST, PUT, and PATCH requests as well to apply XSS automation.