Are reports about the GitLab tracker disclosing currently confidential vulnerabilities acceptable?

Hey!

First of all, thanks for making it easy to ask program related questions. It's always great to see you are looking for ways to improve the program!

My H1 handle: hackerone.com/jimeno

I'd like to understand if accidental vulnerability leakages caused by the GitLab team are considered valid exposures/reports. I'm subscribed to the RSS feed of several gitlab-org and gitlab-com labels to get notified about production outages, security issues, etc.

Today I got alerted about a MR having been submitted which seems to be a proposed fix for an undisclosed XSS:

• MR: gitlab-org/gitlab!102706 (merged) <- publicly accessible at the time I'm submitting this question
• Issue: gitlab-org/gitlab#378216 (closed) <- confidential at the time I'm submitting this question

[EMAIL SCREENSHOT REDACTED]

Normally I'd just submit a Low severity report on HackerOne about the exposure. However, I don't want to risk a N/A by the analysts team.

Please, let me know if such vulnerability exposure reports are acceptable or not. If not, then please note the XSS reproduction steps are publicly available at this time and you might want to make gitlab-org/gitlab!102706 (merged) confidential.

By the way, I removed the appsec tag as this doesn't look important enough to alert 16 people to me 😅

Thanks!