Thanks for the response Evan.

It sounds like the user is confused that having View access doesn't let them have access to decrypt/see the secret - only that they can use the secret within Phabricator. So in order to allow others to decrypt/see the secret he gives them Edit access which does give them the ability to change the secret.

T4721 (which I also linked on the HackerOne report) discusses usability improvements to Passphrase, including better documentation and hinting about this use case and possibly the separation of the "Can Use Credential" and "Can View Secret" policies. These are reasonable usability concerns.

I don't think the Passphrase UI the reporter raises a concern with, which says Editable By: [...], is even remotely misleading in its behavior. It clearly says that it controls edit permission, and it legitimately does control edit permission. No reasonable user should set this control to Editable By: [@alice] and be surprised that @alice can edit the credential after they save the change. That's exactly what the UI said would happen, completely consistent with how this UI works in every other Phabricator application, and I can not imagine any way to make it more clear.

There is a reasonable usability concern here, and a reasonable use case which we don't address as gracefully as we could. I don't think there is a reasonable security concern, or that the UI misleads users into believing that an unsafe operation is safe.

Thank you for explaining - I didn't mean to imply I thought it was a security concern, as it is very clear what giving someone Edit access means.