Any half-decent VDP will have a safe harbour clause. Otherwise ot isn't a true VDP but rather just contact details.
So far, the courts have ruled that you need to be specifically approved, by name, before any works begin. There is no safe harbour here. Your policy does not overrule the law. You need a pre-existing relationship with the company, before you begin to look for vulnerabilities.