u/OpportunitySuper6834

Found a bug in a bugcrowd private program which is more like a booking system, it has a SaaS for businesses and a customer portal. The SaaS is inaccessible for some reason so I've been testing the customer portal only for now.

That customer portal links to the business one in the sense people who post bookings on it are the people with access to the SaaS, and the people accessing those bookings are the customers obviously

I found a bug that lowkey allows me to add an unavailable schedule for a staff member to make it available for them, But since I can't do that to my own bookings considering I can't even access the SaaS, Can I report it with minimal PoC or will it be considered destructive testing by the program?

Do you ever get any AI slop reports that you had to burst out laughing, if so what are they?

Recently, I've been learning JavaScript to improve my code readability, potentially find other bugs like DOM XSS (Reading sources and sinks manually etc) also generally digging for secrets and probably more.

As much as I understand the language, I think I'm usually overwhelmed by the number of js files that appear on the network tab as I'm testing the waters in the application, Sometimes you don't know the best technique to maximize it, or whether you should focus on sources/debugger tab or network one, or both. So I'd like to hear your recommendations or how to approach this, Much thanks in advance

While enumerating the subdomains, I have a habit of searching for historical URLs for these subdomains.

This time, I found a number of receipent email addresses in query params, like large numbers of it, does this qualify as PII leak that I should report?