Theoretical vulnerabilities without POC
Any Dos/DDoS activities
Invalid or missing SPF records (incomplete or missing SPF/DKIM/DMARC)
Clickjacking/UI with minimal security impact
Cache-control related issues
Exposure of internal IP address or domains
Vulnerabilities affecting outdated or unpatched browsers.
Bugs already known or already reported by someone else (reward goes to first reporter).
Issues that aren't reproducible.