Lack of Validation in Reward Redemption Allows Unlimited Burp Suite License Abuse

I received an email from the new points and rewards system stating that I had reached Level 4, and the reward was a 3-month Burp Suite Pro license (sponsored by PortSwigger). The email included a “Redeem it here” button, which redirected me to a Google Form. After filling out the form, I received a valid license in my email. The issue is that there is no validation or verification tied to the user’s account, which allows an attacker to obtain multiple licenses simply by using different email addresses. Evidence Email content (relevant section): Hi theokeen, You’ve reached Level 4! This time, your reward is a 3-month Burp Suite Pro license, made possible by our partners at PortSwigger. Redeem it here. {F4877852} Redeem link: █████ Diferrents email .. 1 . ███ 2. █████████ After submitting the form with two different email addresses, I received two separate valid licenses. Impact Because there is no validation mechanism (e.g., checking if the email matches a legitimate Level 4 account), a malicious actor could generate hundreds of valid licenses for free, which could lead to abuse of the reward system and significant financial loss for the sponsor. ## Impact Implement proper identity verification before issuing the license (e.g., checking account level or requiring authentication). Enforce one redemption per account or per unique identifier. Add rate limiting or CAPTCHA to prevent automated abuse.