Ability to identify actual private from sandboxed programs using link hackerone.com/$handle/terms_acceptance_data.csv
Posted: Mon Jan 13, 2025 4:27 am
When accessing the advanced vetting settings of a sandboxed testing program, a peculiar behavior can be noted. Navigating to the advanced vetting page of any program (e.g., hackerone.com/$handle/advanced_vetting) results in the page loading, even without explicit permissions. However, no confidential information is exposed, as the associated GraphQL request enforces restrictions on unauthorized users, displaying only the appropriate content.
https://hackerone.com/reports/2381253
https://hackerone.com/reports/2381253