Is this a ZERO-DAY?
While testing a self hosted bug bounty program. I noticed that the communication is mostly via websocket. The program allows users to create organization and invite another user via email to their organization. I did that.. I invited my account 2 to my account 1 organization. Then I thought of checking the websocket and I found out that it's purging data from other organizations which I have no association with. It purged email, first names and last name, OAuth secret and OAuth Id, organization Id seesionUID etc... Its leaking in real time ... I did nothing crazy.. I just need to refresh my page and allow the socket to start communicating. Then here are the data coming from nowhere.... I tried to verify if the secret are real and surprisingly I was able to get data... But I stopped there... Ts just for confirmation. Now the question is .. how does self hosted program handles such leak.. do I need to send them just a single leak or everythinga s my POC. Also, is this a ZERO-DAY vulnerability?