HackerOne: User object in GraphQL exposes number of trial reports for External Programs that also have a Private Program

Summary: For this vulnerability to work, it is necessary that you should be Admin/member of atleast one sandbox team and running a GraphQL node can tell you if the external programs exist on directory page running a private program on hackerone or not...

HackerOne: Team object in GraphQL that have a published external program may expose existence of a private program

Summary: Hi Team! On Team object the parameter "icannotcreatejirawebhookreasons" is not NULL and gets the following default states when called for all programs "CANNOTVIEW","FEATUREGATED","PROGRAMPERMISSIONREQUIRED" If a Company Program runs a Private Program or a Public On the "FEATUREGATED" is...

HackerOne: Program metrics disclosed response_efficiency_percentage via /program_name json response despite the team decided not to show on their profile

Hi Team, Summary: First of all, i am not sure if a private program or any program have the capability to not show their response efficiency, but i assume they have because i saw some private programs that do not show response efficiency percentage on their public page. Description: Below list of...

HackerOne: Information Disclosure when /invitations/<token>.json is not yet accepted

Hi Team, Summary: First, i just want to clarify that this finding seems a purely human mistake from one of the hackerone member team who created a summary of this report: 283309 --- I have found that you guys HackerOne was disclosing email address and private program as part of this report summar...

HackerOne: Private Program all members disclosed

After receiving an invite to a private program, it was possible to view all of its team members: https://hackerone.com/invitations/invitation code.json "teammembers":"username":"","username":"","username":"","username":"","username":"","username":""...

HackerOne: Pending member invitations are not revoked on program name change

Summary: When private program updates the handle of the hackerone program, former team members can see the new updated handles using old invitation link. The invitation link looks like https://hackerone.com/invitations/ This may also be true for participants participating in private programs but ...

HackerOne: Banned researcher gets email updates on a private program.

Hi Team, I found out that after getting banned from the program, I still getting email updates about the private program, e.g. access of beta product, new scope changes etc. Those private messages can contain some important data that program doesn't want to share with the banned researcher for ex...

HackerOne: Researcher gets email updates on a private program after he/she quits that program.

Summary: I found out that after I quit private program, I still gets update about that program, e.g. new scope changes/amount of money and etc. Description Include Impact: I noticed that if I quit program I still gets email updates about the private program, private data can be leak on that email...

HackerOne: Information leakage of private program

Hello team, I noticed an issue in Directory where information of a soft-launched program getting disclosed! I made this request as an unauthecated user, http GET /programs/search?query█████████&sort=publishedat%3Adescending&page=1 HTTP/1.1 Host: hackerone.com User-Agent: Mozilla/5.0 Windows NT...

HackerOne: Private Program Disclosure in /:handle/settings/allow_report_submission.json endpoint

Hi == private externa bb https://hackerone.com/settings/allowreportsubmission.json?teamhandle=security when u get False or true thry mean its valide bb when u get 404 its invalid...

HackerOne: Private program activity timeline information disclosure

HI, There are some company which are hosting as external https://hackerone.com/directory?query=type%3Aexternal&sort=name%3Aascending&page=1 but some one was hosting private BB on HackerOne which are not visible unless they invite you. However, you can check if any company is hosting private BB on...

HackerOne: Minimum bounty of a private program is visible for users that were removed from the program

Hello, Privileged information is getting leaked to an unauthorized user in the json response of https://hackerone.com/reports/.json. In a team there can be many members, also roles are defined. But an x-member of the team is getting information which should not be visible to him. As I tested it o...

HackerOne: Private Program and bounty details disclosed as part of JSON search response

Hello Hackerone Team !!!! Few days ago invited me for Private disclose !!! Yesterday I saw fix of this report 80597 So,I deepdigger the JSON serach Response for example I search this directory https://hackerone.com/████ https://hackerone.com/████; Now I access without authentication and i saw the...