Based on the description this seems to be improper authorisation. An authenticated user can access data that it’s not supposed to (I assume you need to log in to see the data). The site in question should have a security contact where you can send your proven finding. Something like security@company.com or cert@company.com. They will usually require GPG encryption so the misconfigurstion you are reporting is not snooped (the attachment should be enough).

Skłodowska

According to some posts online you should use pattern matching to exclude filetypes. “*.ink” should match any file ending in “ink”. Exclusions should be separated by a newline.