lol, amex takes vuln submissions and sends them to hackerone, and replies with an autoresponder that says you have to confirm the report, and claims that clicking the link means you agree to the hackerone contract.

the link, of course, completely fails to render without javascript.

i will not agree to this contract and i will not render hackerone's javascript.

guess amex's vuln is getting published in a month.