It's routine during a netpen to download very large unlabeled files, especially VM images. You don't know whether they're a security threat until you check, and your goal is to escalate as much as possible. Even if it's named backup-20141120, you don't know what it's a backup of, or whether it's encrypted. You need to at least start downloading it to check the file headers.
A good pentester will try to suck down as may different things as possible and sort ruthlessly for anything that could be useful: keys, passwords, notes, bash histories, logs, everything. But that's why we do so on an encrypted, isolated drive. The data never leaves the partition, and it's deleted at the conclusion of the test.
People working on HackerOne don't have that kind of discipline, so it's important to err on the side of caution. But it's totally valid to grab a VM snapshot and look through it to check how to pivot elsewhere.
But the moment you realize it's super sensitive data, you want to wipe it and contact them immediately. (Perhaps after checking whether there's anything you can use to escalate privileges.) If it's named "ssns.txt", you probably still want to download it just to check it really is SSNs before you go running to them about their exposed text file.
The point is, it sounds very dramatic to say "Hacker downloaded 57M user records in 1GB of data", but sometimes you don't know they're user records until you look, and sometimes you can't look until it's fully downloaded. And your goal is to safely simulate what a real hacker would do. That's the point of a pentest, and why ethics and trust are so important.
I've snagged several VM image files during pentests at various companies. I don't remember whether any of them turned out to be useful, but I do remember poking through them in vmware fusion to see what the devs had littered around.
Now: I was under strict NDA. That isn't true for HackerOne finders. Every company has different rules. Some tell you up front not to do this, e.g. https://hackerone.com/deptofdefense ("You do not exfiltrate any data under any circumstances.") https://hackerone.com/square ("Never attempt to view, modify, or damage data belonging to others.")
Searching for "data" shows that everything is in scope. So it's really tricky to say there was malicious intent here.
edit: Usually it's the other way around, though: You find an exploit that gives you a little drip of data, so you know that you could technically enumerate the entire dataset if you wanted to. Obviously, don't do that, because you already know from the first drip whether there will be anything useful if you keep going.
It's not routine to escalate. There was an article here not long ago about a guy who found a RCE on facebook and escalated to everything he could and kept a copy of all the data, that didn't go well.
It's extremely important to understand the terms of each bug bounty program. FB prohibits escalation (https://www.facebook.com/whitehat/):
You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
It's routine during a netpen to download very large unlabeled files, especially VM images. You don't know whether they're a security threat until you check, and your goal is to escalate as much as possible. Even if it's named backup-20141120, you don't know what it's a backup of, or whether it's encrypted. You need to at least start downloading it to check the file headers.
A good pentester will try to suck down as may different things as possible and sort ruthlessly for anything that could be useful: keys, passwords, notes, bash histories, logs, everything. But that's why we do so on an encrypted, isolated drive. The data never leaves the partition, and it's deleted at the conclusion of the test.
People working on HackerOne don't have that kind of discipline, so it's important to err on the side of caution. But it's totally valid to grab a VM snapshot and look through it to check how to pivot elsewhere.
But the moment you realize it's super sensitive data, you want to wipe it and contact them immediately. (Perhaps after checking whether there's anything you can use to escalate privileges.) If it's named "ssns.txt", you probably still want to download it just to check it really is SSNs before you go running to them about their exposed text file.
The point is, it sounds very dramatic to say "Hacker downloaded 57M user records in 1GB of data", but sometimes you don't know they're user records until you look, and sometimes you can't look until it's fully downloaded. And your goal is to safely simulate what a real hacker would do. That's the point of a pentest, and why ethics and trust are so important.
I've snagged several VM image files during pentests at various companies. I don't remember whether any of them turned out to be useful, but I do remember poking through them in vmware fusion to see what the devs had littered around.
Now: I was under strict NDA. That isn't true for HackerOne finders. Every company has different rules. Some tell you up front not to do this, e.g. https://hackerone.com/deptofdefense ("You do not exfiltrate any data under any circumstances.") https://hackerone.com/square ("Never attempt to view, modify, or damage data belonging to others.")
Crucially, Uber does not: https://hackerone.com/uber
Searching for "data" shows that everything is in scope. So it's really tricky to say there was malicious intent here.
edit: Usually it's the other way around, though: You find an exploit that gives you a little drip of data, so you know that you could technically enumerate the entire dataset if you wanted to. Obviously, don't do that, because you already know from the first drip whether there will be anything useful if you keep going.