We can learn the following from this report:
- An XSS vulnerability does not necessarily need to be in a parameter that is visible in the original request, but to also test all other requests that are not originally generated by a web page.
- Fransrosen went to great lengths and explained the attack surface of the vulnerability to the program owners turning a self XSS to a stored XSS, which is greatly appreciated in the response as well; he initially invited the team member to the report and then downloaded a Mac clipboard software and took the time to report and verify the vulnerability to the team.
- Even though the bounty was not much, the vulnerability was well documented and proven nicely, which was effective in long-term engagement with the team.