Hacking on a Private Program (Salseforce crm)

I was hunting on a private program of HackerOne so lets call it developer.target.com i found a register option so i registered there after some recon i found that its a salseforce crm
while logging i encountered that it was logging through okta.

and my first attempt was logging okta to get some juicy stuff. cz account created on okta.
so i hit this target.okta.com than i logged in and encountered an error
which was

after watching that i changed my date and time but still getting same error.
after a lot of research i found that the issue can be resolved from okta console only.
so i lost hope from okta.
then i came back to developer.target.com logged in found nothing juicy
except this https://developer.target.com/developer/s/settings/{profileID}

then after wasting some time i changed this directory settings to profile like this https://developer.target.com/developer/s/profile/{profileID} and boom i have found more options including file uploading feature.
so i tried to upload php,jsp,asp files but getting no preview except jpg,png and other ext for image.

and more recon i found this endpoint https://developer.target.com/developer/s/sfsites/c/sfc/servlet.shepherd/doucument/download/{fileID}

after watching this i knew it what i have to do, i uploaded a csv file including csv injection payload and copied the fileID and put that here https://developer.target.com/developer/s/sfsites/c/sfc/servlet.shepherd/document/download/001fdkd193

then i opened this link from another browser did not work, i again opened that link as an authenticated user,means ACCOUNT on devloper.target.com

and boom file was downloaded, once other devs open the csv file OS command gets executed on their machine.
payload in csv file: =10+20+cmd|' /C calc'!A0

the system should filter these =,+,-,@ in start of every cell

and i was awarded a $300 bounty for that.

follow me: https://twitter.com/0xmaruf