JIRA :
https://hackerone.com/reports/326040