It seems one is able to upload arbitrary files to Amazon Webservices through the UI.
This allows for uploading malware such as msf-payload-x86.jpg.exe or whatever.
Beyond free hosting this could potentially be used to entice teams into downloading stuff they probably don't want.
Actual exploitation would likely depend on obfuscating the filename to look more innocent, general human errors, a certain trust in files being served from
hackerone-attachments.*.amazonaws.com or separate issues entirely.
I could imagine this to be working as intended but still believe it would be good to consider restrictions even if the result is to not enforce any.
I would propose to at least consider displaying a warning similar to the (excellent) one displayed when visiting an external link.