sdrc.starbucks.com - Information Disclosure via unsecured attachment directory

l00ph0le submitted a valid high severity XSS vulnerability report for sdrc.starbucks.com. After Starbucks confirmed this vulnerability and advised this asset was not in scope; l00ph0le performed additional analysis and research to uncover an unsecured attachment directory which elevated this to a critical report. l00ph0le was subsequently awarded a critical bounty payout in accordance with the updated severity and scope. @l00ph0le — thank you for reporting the original vulnerability, the additional information and for confirming the resolution.