Denial of service in report view.

Hello Team! First of all thank you for acknowledging my feature request, I know it will help a lot of users. Description: ========== I just wanted to report a potential vulnerability on the report view functionality. For obvious reasons I'm using my sandboxed team on an alternate account to test it, but I'm pretty sure it can be still exploited on non-sandboxed teams. I'm guessing that one of the main differences between sandboxed and non-sandboxed teams is that non-sandboxed have rate-limiting, but this wouldn't be a successfuly way of preventing this potential attack, but just a way of slowing it down, but not for long. Basically the problem relies in that the view report functionality, tries to load every comment, either man made or system made, which, given enough comments, overloads the server and sends a 524 Origin Time-Out. I was able to get this error by sending around 450 "test" messages on the same report, or by sending a few big messages. You can see it by yourself on reports 137508, 132450 and 138662 (Three different ways of exploiting this vulnerability) Why is this a vulnerability? ====================== A malicious individual could very well leverage this vulnerability to prevent a legitimate user from accessing the report. In addition, it causes an unnecessary load on Hackerone's servers, since it can be used as a request amplification attack, by issuing a large amount of requests to the report, once it's filled with random info. Also, even though compression techniques can be used to reduce the amount of data transferred, this can by greatly bypassed by issuing high-entropy data (random), which would hinder the compression mechanisms. How to fix this? ============= Several ideas come to mind: - Limit the amount of consecutive comments that can be seen at once in a report, providing a "see more" button which will at most overload the client interface, not the server. - Limit the amount of data sent per comment, providing a "see more" button which loads the following chunk of data. - When a high amount of comment load is detected (either because of a high amount of comments or big comments being sent), perform a CAPTCHA check. As you can see on the following screenshot, the report failed to load: {F95556} This is the request made by the Ajax controller: {F95557} This is the response sent by the server, showing a gateway error after 60 seconds: {F95558}