I've tested a lot of websites, and I've found that many sites have a "go.example.com" subdomain that returns the following error message:
404 Not Found
The redirect url is empty
This message makes me think that you can somehow add a header/parameter to make this website redirect to any other site. If that is so, that would be an open redirect, which is a valid vulnerability.
Do these "go." subdomains have a header/parameter that they will redirect to?