The scope defines what applications/services they will take submissions for. For example, Yahoo allows yahoo.com, but they may not pay for vulnerabilities on yahoo.net. It also defines what type of vulnerabilities the program considers valid. Not all programs will take the same vulnerabilities. Cross-Site Scripting may even be considered out-of-scope for that program. It's important to review the scope both for legal reasons and also to make sure you aren't wasting the platforms' time.

Most bounty platforms have programs that are private which means you need to be invited before you can submit vulnerabilities to them. Getting invited to these programs is either done manually by the company/platform or you are randomly invited based on rank/reputation. You need to start submitting valid (non-duplicate) vulnerabilities to public programs before you'll start getting invites to private programs. For the most part, private programs consist of the majority of the programs on each platform.

It's important that you don't discuss information or talk about the private programs you are invited to with others. Some programs/platforms take this seriously and will remove you from the program and/or platform if you are caught doing this.

Some platforms have programs that are swag only or do not offer rewards at all. On most platforms you will still gain reputation points for valid submissions. These programs tend to get the least amount of attention. That makes the free programs one of the easiest ways to start gaining rank on the platforms. This is one of your best approaches to getting invited to private programs.