A few years ago I was testing a service acquired by Dropbox and they updated the scope of the Dropbox acquisitions program on HackerOne to exclude said program while I was in the middle of testing it and I didn't notice (checked later with the "last updated" diff). Unfortunately the vulnerabilitie(s) I discovered didn't count and their reply was all "no harm, no foul, thanks anyway."
A few years ago I was testing a service acquired by Dropbox and they updated the scope of the Dropbox acquisitions program on HackerOne to exclude said program while I was in the middle of testing it and I didn't notice (checked later with the "last updated" diff). Unfortunately the vulnerabilitie(s) I discovered didn't count and their reply was all "no harm, no foul, thanks anyway."