HackerOne: Internal bounty and swag details disclosed as part of JSON response

ID H1:81083
Type hackerone
Reporter techguynoob
Modified 2016-04-25T02:28:20


Hello Hackerone team !!!!

If Some company take option like this :

Show minimum bounty on the program page?

Do not display the minimum bounty on the program page.

for example :

https://hackerone.com/███████████ [Private] [bounty details] "base_bounty":10

https://hackerone.com/████ [Private] [swag details] "offers_swag":true

disclosure of private information via JSON response !!!

Note : I access with authentication !!!

Regards, sarath