I’d opt out. For others that don’t have a web page or form for opting out, I block all scan subnets.

You simply have no way to certify that they are doing good with the results.

I probably have two thirds of the internet blacklisted from my IDS. I don’t re-allow compromised networks back into the allowed pool, ever. My IDS can see if there is legit traffic and prompt me to whitelist the subnet, but otherwise once they are flagged as bad, they are blocked forever.

I maintain a whitelist for the domains and services that I wish to provide services for.

As for outbound client connections, I have a separate switch and router for that and they bridge at the CPE, for cloud resources for everyday websites that may use transient VMs or connection pools. That client router has no open ports inbound.

Needless to say, having more than one router on your connection necessitates multiple IP addresses from the ISP, or a dedicated subnet passed to the CPE.

I don't know who Censys is, but anyone who port scans me, they're blocked automatically. Always assume a "deny inbound" posture to protect your trusted network or your DMZ, and only allow into your DMZ that which needs to be allowed. Allow *nothing* except for return traffic into your trusted network...unless you really, *REALLY* know what you're doing and why.

While they seem harmless, they are blocked...

I have my port scans and other attempted intrusions down to one every few days and will continue to block the stragglers. I have 15 countries blocked and numerous subnets. One of my favorites:

Sounds legit.