Broken Link on Ping Identity's Vulnerability Submission Form on Hackerone

**Summary:** Ping Identity has an unclaimed broken link on their HackerOne security page which can be claimed by any malicious user, who could then exploit this issue with clever social engineering to deceive new researchers to submit their legitimate findings to the wrong hands. Similar to [this report](https://hackerone.com/reports/1117079), the broken link can be exploited by creating a fake impersonation of the security page of the company and can cause impact if it is exploited even once. **Steps To Reproduce:** Visit https://hackerone.com/pingidentity/reports/new?type=team&report_type=vulnerability Click on Security Page. After that, you'll be redirected to the 404 HackerOne page. Somebody can create a HackerOne Account with that username and impersonate your security page and steal legitimate reports. **References:** https://edoverflow.com/2017/broken-link-hijacking **Impact:** New researchers can be further deceived if they click on the hijacked link. A specific case might be for a malicious user to create a fake account on that broken redirection link and deceive researchers arriving on that link. For example, the attacker can ask the researcher to submit his report to him first and if he approves, then only he can submit it to your official page. In this way, it can cause huge damage to your company if a critical severity report is mis-directed to the attacker.