[HackerOne] View Titles of Private Reports with pending email invitation ($7500 USD)

We discussed this vulnerability during Episode 237 on 28 January 2024

Disclosure of private report titles on HackerOne if there is a pending email invitation for collaboration (made through the Manager Collaborators invitation panel). With an invite being made any anonymous user anyone can query that report’s title by id on the GraphQL API.