This report was created as part of the investigation for the Spot Check about the Spot Checks feature.
Hi,
I discovered team members / hackerone staff can modify a userβs spot check write-up. I believe this is not intended functionality for the following reasons:
{"operationName":"EditSpotCheckReport","variables":{"input":{"spot_check_report_id":"Z2lkOi8vaGFja2Vyb25lL1Nwb3RDaGVja1JlcG9ydC81MDU=","executive_summary":"x","scope":"x","methodology_and_tooling":"X","findings_and_evidence":"none","time_spent":0,"files":[],"removed_attachment_ids":[],"report_ids":[]},"product_area":"hacker_dashboard","product_feature":"redirect_overview"},"query":"mutation EditSpotCheckReport($input: EditSpotCheckReportInput!) {\n editSpotCheckReport(input: $input) {\n spot_check_report {\n id\n _id\n state\n __typename\n }\n was_successful\n errors {\n edges {\n node {\n id\n type\n field\n message\n __typename\n }\n __typename\n }\n __typename\n }\n __typename\n }\n}\n"}
{F3318885}
{F3318886}
Members and Triage can rewrite the story the hacker is trying to tell and edits are not transparant