Null byte injection

Hi , I would like to report an issue that I have noticed in `https://hackerone.com/users/sign_in?invitation_token=` . I am not sure if this is a valid security issue , but I have decided to report it anyway and see what you guys think. #Details: - When you go to https://hackerone.com/users/sign_in?invitation_token=xxxx , you'll get a 404 page because `xxxx` is not a voalid invitation token. - But if you go to https://hackerone.com/users/sign_in?invitation_token=eda8fca985bc4d4ef21f269ed2a24951 , you'll get a 200 response with the regular login form and a link at the bottom saying `Back to invitation.` . I was trying to get XSS or open redirect through the `Back to invitation` link , but found a Null byte injection issue. - If you go to `https://hackerone.com/users/sign_in?invitation_token=eda8fca985bc4d4ef21f269ed2a24951%00"><img src=x onerror=prompt(1) x=` , you should get a 404 page , since it's not a valid invitation token , however , you won't! You'll get a 200 response with the regular login page and a link to `https://hackerone.com/invitations/eda8fca985bc4d4ef21f269ed2a24951%00%22%3E%3Cimg%20src=x%20onerror=prompt(1)%20x=` saying `Back to invitation` , the invitation link is escaped so there is no XSS here. - This means that there is a Null byte injection issue with the code handling the `invitation_token` parameter. I couldn't get anything with that , however I believe it may lead to some serious issues! I hope this helps. Thanks