This report was created as part of the investigation for the Spot Check about the Spot Checks feature. Hi, I discovered team members / hackerone staff can modify a user's spot check write-up. I believe this is not intended functionality for the following reasons: 1. There is no option to edit the hacker's write-up in the UI. 2. HackerOne previously fixed vulnerabilities where the team member / triager could edit a user's report. ( #2061367, #2096271 ) Steps to reproduce: Submit a spot check write-up. Edit the write-up and intercept the GraphQL request. It should look like this: json {"operationName":"EditSpotCheckReport","variables":{"input":{"spot_check_report_id":"Z2lkOi8vaGFja2Vyb25lL1Nwb3RDaGVja1JlcG9ydC81MDU=","executive_summary":"x","scope":"x","methodology_and_tooling":"X","findings_and_evidence":"none","time_spent":0,"files":[],"removed_attachment_ids":[],"report_ids":[]},"product_area":"hacker_dashboard","product_feature":"redirect_overview"},"query":"mutation EditSpotCheckReport($input: EditSpotCheckReportInput!) {n editSpotCheckReport(input: $input) {n spot_check_report {n idn _idn staten __typenamen }n was_successfuln errors {n edges {n node {n idn typen fieldn messagen __typenamen }n __typenamen }n __typenamen }n __typenamen }n}n"} Log in the organization account. Copy the graphQL request above and send it. You…Read More