Stripe disclosed a bug submitted by saajanbhujel: https://hackerone.com/reports/1804177 – Bounty: $2000 [Source]