Expedia Group Bug Bounty disclosed a bug submitted by bombon: https://hackerone.com/reports/1760213 – Bounty: $750 [Source]