HackerOne, the popular security response and bug bounty platform, rewarded a researcher with with a $5,000 bounty for identifying a severe cross-site scripting (XSS) vulnerability.
HackerOne hosts bug bounty programs for several organizations, but the company also runs a program for its own services. So far, HackerOne has thanked 54 hackers for helping the company keep its services secure, but Trello developer Daniel LeCheminant is the first to find a flaw rated “severe.”
The researcher discovered that he could insert arbitrary HTML code into bug reports and other pages that use Markdown, a markup language designed for text-to-HTML conversions.
“While being able to insert persistent, arbitrary HTML is often game over, HackerOne uses Content Security Policy (CSP) headers that made a lot of the fun stuff ineffective; e.g. I could insert a