Here the link to visit.com is shown to users to share to their friends and also a button to share to the user’s twitter/fb handle.

So even if the visit.com is not in scope, the vulnerability is still in the target.com. So it was accepted as a valid bug.

Imagine how broken link hijack works, we find unclaimed Instagram, fb, twitter and we take it over. It doesn’t mean instagram.com will be in scope of the program.