This vulnerability allowed unauthorized users to retrieve sensitive information about private bug bounty programs on HackerOne and the titles of private reports by abusing a GraphQL endpoint. Attackers could enumerate {id} values and expose private data, including program names, scope details, and …