Would "provide a working proof-of-concept that doesn't require DNS configuration on the client" not cover the difference? Maybe it'd be nice to still care about moderate-risk theoretical stuff without needing a fully functional PoC, but this would at least stop cases where bug reporters show a working exploit and still get ignored and not paid (I was reading just yesterday about the [Zendesk Slack takeover bug](https://gist.github.com/hackermondev/68ec8ed145fcee49d2f5e2b...) where that happened; in that case, there was a real Zendesk vulnerability which Zendesk first ignored, then later withheld payment for because the reporter shared a working PoC for Slack takeovers with companies affected by the Zendesk vulnerability after Zendesk had stated it was out of scope for them.)
I help run our bug bounty program at a mid-sized company, and we regularly get subdomain-takeover submissions where the reporter has put zero effort into validating the report before submitting it.
They appear to be running some subdomain or certificate search for our domains, then running curl over the results. If they get a 404 they submit it to us as a subdomain-takeover report.
We use a bunch of vendors where we've got foo.example.com CNAMED over to the vendor, but the vendor's servers only serve traffic off some sub-path, and requests to https://foo.example.com/ are going to get 404.
So, I could understand larger organisations simply banning them outright.