> most bug bounties won't pay out XSS unless you can demonstrate that it actually leads to something. Because it almost always doesn't.
This is weird. XSS usually leads to complete session takeover, and being able to perform arbitrary actions as the victim. This is usually critical impact.
If you aren't seeing that, the most likely explanations seem to me to be that you have some kind of idiosyncratic definition of XSS (something preventing session takeover?), or a website that doesn't allow users to perform interesting actions or access their own interesting data.
This is weird. XSS usually leads to complete session takeover, and being able to perform arbitrary actions as the victim. This is usually critical impact.
If you aren't seeing that, the most likely explanations seem to me to be that you have some kind of idiosyncratic definition of XSS (something preventing session takeover?), or a website that doesn't allow users to perform interesting actions or access their own interesting data.