Acronis disclosed a bug submitted by vanitas: https://hackerone.com/reports/924493 – Bounty: $250 [Source]