Can you please explain specifically what problem you believe you've found?

The specific behavior you've described with regard to the BugHunter site is working as expected.

The https://bughunter.withgoogle.com/ site sends a certificate containing the following SubjectAltNames:
DNS Name=*.appspot.com
DNS Name=*.thinkwithgoogle.com
DNS Name=*.withgoogle.com
DNS Name=*.withyoutube.com
DNS Name=appspot.com
DNS Name=thinkwithgoogle.com
DNS Name=withgoogle.com
DNS Name=withyoutube.com

That means that the certificate is valid for "bughunter.withgoogle.com" and not valid for "www.bughunter.withgoogle.com", because "www.bughunter" does not match "*" as a wildcard value may not contain any dots.

>it will inform you that your connection is not secure which doesn't make sense

This warning is shown because the certificate presented by the server is not valid for the hostname from which it was sent.

I'm sorry.. What my point really is that: The browser shouldn't treat https://www.anything.example.com and https://anything.example.com different - Why? Because Firstly,  www. is something really general for the websites. Plus,the behavior of almost all of the sites are like this: http://www.mail.yandex.com if you go to this website you'll get eventually redirected to https://mail.yandex.com - This makes the user to believe that https://www.anything.example.com is the same as https://anything.example.com -  Making it user to believe the difference b/w http://www.anything.example.com and https://www.anything.example.com - 

PoC:

If you'll go to mail.google.com You will be redirected to google login page however, if you go to www.mail.google.com - the server is not found.. which means I can register www.mail.google.com (Obviously this i can not register, but there are many other websites like this) and fool around with people. Hope you get my idea of point. Thanks!

*Making it difficult for the user to differentiate b/w http://www.anything.example.com and https://www.anything.example.com ***

Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

There's no vulnerability here. The owner of example.com has control of the registration of subdomains, so she can allow (or not) www.example.com, and no other party gets to register it without her permission. You cannot, for example, register www.mail.google.com, because you do not own the google.com domain.

www.anything.example.com and anything.example.com are different hostnames; a server operator may choose to have one site redirect to the other, but they're under no obligation to do so.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot