"On May 2nd, 2023, we identified that the Flask session secret for the points[.]com global administration website used to manage all airline tenant and customer accounts was the word 'secret'."

And so many insane vulnerabilities found and exposed by these guys. Hats off!