Report Duplicate Detector can match deleted and draft reports, may disclose title and vulnerability information

When a Report is submitted on HackerOne.com, a feature called the Report Duplicate Detector helps program members and triagers find potential duplicates of the submitted report. This feature will match against all reports that were submitted to the program. When the feature was introduced, all reports associated with a member's program were accessible. Over time though, two states were added, editing and deleted, that are not accessible by program members. However, the Report Duplicate Detector can be used to access information from reports in those states under certain circumstances. # Proof of concept - as a hacker, create a draft report (do not submit) - as a program member of the program, submit a report with the same contents as the draft report - wait for the Report Duplicate Detector results to show up on the report - observe that the Report Duplicate Detector will disclose the title of the hacker's draft report ## Impact Reports are required to have at least 50% overlap based on a number of features for them to be marked as potential duplicates. The Report Duplicate Detector will return up to 10 reports, sorted by similarity descending. Depending on how unique the contents of the draft report are, they can be determined by an enumeration attack.