Earlier this month, a hacker who uses the online moniker msdian7 discovered that a new feature introduced by the HackerOne bug bounty platform had resulted in a vulnerability that could have been exploited to obtain any HackerOne user’s email address.
The feature was introduced on February 10 and msdian7 found the vulnerability the next day. The vulnerability was patched within a few hours by HackerOne, and by the end of the day the company had sent out notifications to two individuals whose email addresses were exposed during the tests conducted by msdian7.
