Note they may still need a test account in order to see the problem, or more specifically to see the form from which you demonstrate the problem.
The mod_security exceptions, if and when defined, are usually specific to the page and form name, and even to the field IDs that appear within that form. For example, the mod_security setup you're under right now might actually already have full phpBB-awareness, and permits an exception for all the standard phpBB-defined custom profile fields in this form which are expected to contain http:// prefixes.
But "Instagram" and "Tumbler" are not standard phpBB custom profile fields, and so they don't have pre-defined field names that could have been known ahead of time by the mod_security rule author. The form field IDs for these additional custom profile fields will be based on "whatever the site administrator entered for Field identification: when defining the custom profile field."
So for your hosting provider to "fix it" -- without simply turning off mod_security entirely, or without exempting the profile page or the profile form entirely -- they may be looking to identify the specific additional form field ID(s) that have been added to the profile form on your specific site.