(npub1ajw…aj8d) Yes, webfinger is out of scope, and as far as I know Pleroma was vulnerable because it didn't do proper validation during reverse webfinger lookups... Is that right?
I don't know much about it. Mitra doesn't perform reverse webfinger lookups at all