HackerOne: Insecure Direct Object Reference (IDOR) Allows Viewing Private Report Details via /bugs.json Endpoint

The Insecure Direct Object Reference IDOR vulnerability allowed viewing private report details through the /bugs.json endpoint. Any private reports could be accessed by sending a POST request to the endpoint with the organization ID and a single-digit text query. This gave access to sensitive...

HackerOne: Information leakage - Private reports cached by Google

Hello, I have found at least two private bug reports cached by Google. 10259 and 10257. Possibly more available Cached version is exposing title and part of the bug description POC:...