Given that this vulnerability is still in triage, I will give a vague overview of the bug chain. Whilst working on my automation, I was investigating various interesting subdomains that it had found.
Insecure Direct Object Reference bugs.
The first bounty is a milestone that many hope to hit. It marks the starting line for a lot of bug bounty hunters today. Mine was interesting. For privacy's sake, I won't disclose