[ ] Password Reset Poisoning (Kind of similar way we do Host Header Injection)
[ ] Reset Token/Link Expiring (Maybe they pay)
[ ] Reset Token Leaks (This can happen when some website interacts to third party services at that point of time maybe password reset token is sent via referrer header part and maybe it can leak)
[ ] Check for Subdomain takeover
[ ] Check for Older Version of Service is used by your target and if they do try to find existing exploit for the target.