I don't expect an unbounded scope but I do expect it to cover the big scary headline items like RCE. Additionally, this can be exploited without MitM if you combine with e.g. a DNS cache poisoning attack. And they can still fix it even if they're not willing to pay a bounty.
DNS poisoning is a MITM vector; in fact, it's the most popular MITM vector.
Really? I thought MitM was always intercepting/manipulating traffic from or to the victim.
What you wrote is the definition of MITM.
Op and others are saying DNS poisoning is a popular way of achieving that goal.
Oh you mean that it's a popular way of initiating the interception part of MitM, got it.