I would personally not scrape the endpoint to collect statistics and inform the severity estimation, but I'm a lot more risk averse than most. But prosecution of good-faith security research is disfavored, so as long as you don't do anything to breach the assumption of good faith (as defendants in the trial you mentioned repeatedly did) I think you're probably fine.
The bigger thing is just that there's no actual win in scraping here. It doesn't make the vulnerability report any more interesting; it just reads like they're trying to make the whole thing newsier. Some (very small) risk, zero reward.
The bigger thing is just that there's no actual win in scraping here. It doesn't make the vulnerability report any more interesting; it just reads like they're trying to make the whole thing newsier. Some (very small) risk, zero reward.