[7sidedmarble]

That seems to kind of go against the spirit of doing the work to find a vulnerability. It's basically social engineering. Do you get bug bounties for that?

[Thorrez]

I wouldn't call it social engineering, because the reporter didn't intend to get the cookies while filing the first report.

It's like the Github scanner that reports leaked tokens.

[asciii]

What's crazy is that the reporter previously filed a bug report about hijacking sessions and then it comes full circle during a different report.

That's karma

[averageRoyalty]

The spirit of HackerOne is to encourage hackers to disclose rather than exploit for the reward of money. It makes a lot of sense that they's pay generously as a public statement to any hackers that find vulnerabilities on their systems.

[starttoaster]

I'd argue it's with the spirit, it's just that the vulnerability resides within your employees rather than your systems. Both are worth a call out and correcting. It's arguable how much either is worth, that being said.