Able to Create Testimonials for myself using Sandbox

**Summary:** Recently you allowed us to give testimonials for the sandbox reports which is Vulnerable and allows all the researcher to control their **Testimonials** for their benefit t. **Description:** When a report is closed as resolved we are given the option of "This hacker is eligible for a testimonial" in the Sandbox report and if we fill out this form and submit it for our own Profile and then go to our profile setting "https://hackerone.com/settings/feedback" and turn on "Show this blurb on my profile" On then this Testimonial will be shown in our Public Profile of Hackerone. With a Single Sandbox Program I can create more than 50 Testimonials for myself that I have Hacked and I am a good hacker. Here the Credibility of the Hackeron testimonial system will fail completely as the Other users can only see that a Private program gave them a review and don't know which program or a Sandbox Program. ### Steps To Reproduce 1. With your second ID create a Sandbox Program and Invite your active ID to that Program 2. with the Active ID Create a Few reports for your own Sandbox Program 3. Now with the Second ID closed all those reports as Resolved and a form for Testtiomonial will pop up at the top of the report "This hacker is eligible for a testimonial" 4. Fill out this form and submit it. 5. From Active ID go to the feedback section "https://hackerone.com/settings/feedback" and turn on "Show this blurb on my profile" On Now visit your Public Profile of the active ID **Testimonials** will be live and visible to all ### Optional: Supporting Material/References (Screenshots) ████ ## Impact Here the Credibility of the Hackeron testimonial system will fail. It can be used to Uplift Public Reputation, Might add this Profile to their JOB resume and as everyone believes in Hackerone they will believe this as well. will surely effect the reputation of Hackeorne.