Most Casinos will only accept a report if it has a viable security impact with a PoC and not a general report from a scanner tool.

I'd recommend asking the casino if they have a private bug-bounty program either internally or externally (i.e, operated by BugCrowd, HackerOne, intigriti)