This is the first clause in the "in scope" section, so it is not unauthorized.
It would be bad if he used this to just wander around in their website, though. Nobody's contested whether this is worth a $10,000 payout yet, but this seems a decent place to point out that using https://beefproject.com , you can use that XSS vulnerability as a reverse proxy back into Tesla's network, and browse through the support site authenticated as the user currently accessing the XSS payload. This isn't just an XSS, it was a authentication bypass that a real attacker could have leveraged into access into that internal web site full of sensitive info in just a few minutes.
This is the first clause in the "in scope" section, so it is not unauthorized.
It would be bad if he used this to just wander around in their website, though. Nobody's contested whether this is worth a $10,000 payout yet, but this seems a decent place to point out that using https://beefproject.com , you can use that XSS vulnerability as a reverse proxy back into Tesla's network, and browse through the support site authenticated as the user currently accessing the XSS payload. This isn't just an XSS, it was a authentication bypass that a real attacker could have leveraged into access into that internal web site full of sensitive info in just a few minutes.