In April, I stumbled over a Cross-Site Scripting vulnerability on the Mozilla Developer Network!
Due to improper input validation mechanisms an attacker could temporarily inject own code into user browser sessions with required user interaction using manipulated URLs:
which could then be used e.g. for phishing purposes using a temporary defacement:
Immediately after the finding, I noticed the Mozilla developers through their bugzilla system and received an answer – well, not as fast as Sophos did, but the the timeframe was short enough to say that they care about even smaller bugs.
Now Mozilla has completely changed the Developer Network infrastructure (did you notice the downtime on 8 May 😉 ? ), and fixed the issue as a part of this change.
I would like to thank Reed Loden and Luke Crouch of the Mozilla Team for the very friendly and professional way of dealing with my report. Too bad this bug was not eligible for your bug-bounty program 🙁