Summary: Search query text, including from potentially undisclosed reports, sent to Google Analytics on Inbox query page
Description (Include Impact): Since search query text can both include content of private vulnerabilities, it shouldn't be sent to Google Analytics. Furthermore, the information sent to GA includes information indicating the presence of a report and its status associated with a particular company (if there is a non-zero report_id and a filtered reported_to_team parameter), which further pins down that a company has a report with certain yet-undisclosed text in said report. Finally, search query text can contain PII, and therefore should not be sent to GA (however, I am not a lawyer, and this is not legal advice).
Mitigation: Client-side redaction of the 'reported_to_team' and 'text_query' params (at the least) before posting to GA.
Visit the permalink URL for an inbox search query (for example, searching for "SOME_UNDISCLOSED_REPORT_OR_PII_INFO_HERE" and filtering to HackerOne gives a URL like: https://hackerone.com/bugs?subject=user&report_id=0&view=custom&substates%5B%5D=pre-submission&substates%5B%5D=new&substates%5B%5D=needs-more-info&substates%5B%5D=triaged&substates%5B%5D=duplicate&substates%5B%5D=informative&substates%5B%5D=resolved&substates%5B%5D=not-applicable&substates%5B%5D=spam&reported_to_team=security&text_query=SOME_UNDISCLOSED_REPORT_OR_PII_INFO_HERE&program_states%5B%5D=2&program_states%5B%5D=3&program_states%5B%5D=4&program_states%5B%5D=5&sort_type=pg_search_rank&sort_direction=descending&limit=25&page=1 )
Note in the browser network inspector a www.google-analytics.com/collect post containing the sensitive information in the dl param (I have omitted all numeric identifiers for the sake of future disclosure) :