Many bug bounty programs explicitly include exposed IoT devices. For example, Axis has a bug bounty via the Axis Vulnerability Handling Policy (see their website).
Thus, a full malicious or investigative request might look like: http://[camera-ip]/axis-cgi/mjpg/video.cgi?full&resolution=1920x1080 inurl axiscgi mjpg videocgi full
The visibility of this URL in search engines often stems from misconfigured security settings. To secure an Axis camera: Video streaming - Axis developer documentation Many bug bounty programs explicitly include exposed IoT
A CGI script that Axis cameras use to deliver live video streams (e.g., video.cgi?resolution=640x480 ). inurl axiscgi mjpg videocgi full