any user could upload attachments to pentest scoping form they don’t have access to