Bug bounty programs dismissing exposed API keys as 'out of scope' creates security blind spot