A researcher found a vulnerability on setting duplicate report as program owner. He was able to duplicate a report to a report that doesn't have relation with the program. For example we can duplicate to a public report in hacktivity.
https://hackerone.com/reports/2513082