$10,000 Bounty: HackerOne Report Comments Leak via “Export as .zip”
1 min read
Summary
A recently discovered vulnerability at HackerOne meant that users could download and view private comments in bug reports, thanks to a new export feature that had been introduced.
HackerOne is a platform on which companies can enrol to identify their own IT vulnerabilities before problematic bugs are identified and exploited by criminals.
A HackerOne researcher called Faisalahmed had the $10,000 bounty after he spotted the flaw and reported it via the platform.
The problem highlighted the vulnerability of what is known as “limited disclosure reports”, a situation in which content can be viewed only by selected, authorised parties.
The problem was quickly addressed once it was discovered.