Stripe disclosed a bug submitted by peterldowns: https://hackerone.com/reports/2011298 – Bounty: $500 [Source]