User blog comment:MisterWoodhouse/Introducing the Fandom Bug Bounty Program/@comment-34858178-20190727164816/@comment-3020860-20190728160319

Privilege elevation (gaining administrative powers on the wiki), malware injection, backend database manipulation... there are all SORTS of potential exposures, on pretty much any site.

Obviously they can't list the vulnerabilities they don't know about (the whole point of the bounty program) but access to user personal data is far from the only attack vector to be concerned about. (It's just the only one users are generally concerned with, because it directly affects them. Though, really, everyone should be concerned about potential malware injections, for exactly the same reason.)