Summary

In this finding, Security researcher demonstrate a serious flaw in HackerOne’s platform enforcement. Even after being officially banned from submitting reports, Security researcher was able to bypass the restriction using an API key and submit reports to both sandbox and real programs — a direct violation of the platform’s trust and abuse-prevention mechanisms.

Steps to Reproduce

light3r contacted HackerOne support and had my account restricted from submitting any new reports. This restriction is confirmed in the screenshot below.

2. Attempt to Submit a Report via UI or Direct Request

After the ban, light3r tried creating a report directly — received a 403 Forbidden error as expected.

3. Create a Sandbox Program and API Key

light3r navigated to HackerOne’s settings and created an API key through the sandbox program.