The researcher identified that points obtained through the demo program do not add points to the user's profile, however were counted in the backend for the leaderboards. This was a flaw within the logic of the rank calculation system, which was a great find! Thanks for your awesome work MuhammadKhizerJaved!
The vulnerability on the Bugcrowd platform allowed manipulating rank on the platform using the API. I found that the platform did not differentiate between points earned from demo programs and real programs for ranking, allowing me to import demo program reports using the Bugcrowd API and reward myself with points. Although these points did not reflect on the researcher's public profile page, they were included in the platform's ranking algorithm.
