Great info and writeup! Thank you for sharing. I have to ask a few questions if you wouldnt mind answering. How much time did you spend on this? What is your primary motivation; curiosity, cash, just because? Was the meager $150 reward worth you efforts?
I found the initial XSS within 15 minutes, but the variations and bypasses took few hours.
The primary motivation is to make the internet more secure, and fun part of breaking websites. The challenges and the reward of having an alert is fun.
The 150$ reward is plenty, I'm doing this for fun, and I like this website, so having a reward is only a nice bonus.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.