This is great, but since the authors are here, some constructive feedback: if you were to ask me what the most important and misunderstood issue in security research is, I'd say it's the distinction between web application testing (the subject of most bug bounties) and mobile/platform/executable software security research (ie: finding browser zero-days) .
I skimmed the guide and I know the distinction is covered in multiple points throughout, but it would be helpful in future versions of this document to find a way to center it. There are a lot of people who believe that finding browser vulnerabilities is legally risky, and a lot of people who believe there are good-faith security exemptions to testing for XSS vulnerabilities in web sites.
FYI, Thomas (aka tptacek) would be an excellent resource in your area, in case you don't already know that. (He consistently tops the leader board of HN karma points.)
I skimmed the guide and I know the distinction is covered in multiple points throughout, but it would be helpful in future versions of this document to find a way to center it. There are a lot of people who believe that finding browser vulnerabilities is legally risky, and a lot of people who believe there are good-faith security exemptions to testing for XSS vulnerabilities in web sites.