HackerOne: [ Spot Check ] Team members can edit a user's write-up

Team members could edit a user's spot check write-up. The write-up could be modified through a GraphQL request, even though there was no option to edit the write-up in the user interface. This was considered unintended functionality, as HackerOne had previously fixed vulnerabilities where team...

HackerOne: [Spot Check] - Ability to disclose metadata about Spot Checks (Number of Hackers + Hackers Criteria) via "SpotCheckSingleQuery"

A vulnerability was discovered that allowed hackers to disclose private metadata about Spot Checks, including the number of hackers and the selection criteria. The vulnerability was triggered by navigating to a specific URL and accessing the "SpotCheckSingleQuery" parameter, which returned this...