Program Member Could Duplicate Report To A Non Related Program Original Report

**Summary:** Hello Hackerone team, I found a vulnerability on setting duplicate report as program owner. I'm able to duplicate a report to a report that doesn't have relation with the program. For example we can duplicate to a public report in hacktivity. ### Steps To Reproduce 1. Create a sandbox program 2. On a report, select closed as duplicate and select another report from your program 3. Then intercept a request sent to /reports/bulk. Change the `original_report_id` parameter to 2279010 (A report to Portswigger #2279010) {F3284733} {F3284729} In addition after some analysis, I found that we also could mark as duplicate to a private report based on who's marking as duplicate. For example for me I would be able to duplicate to a report with id #2441985 which was a private report {F3284759} ## Impact - A Program could mark as duplicate a report that even doesn't have correlation to the original report and security researcher wouldn't be able to validate it - Integrity issue since the duplicate report should be only come from the program related report