This specific XSS vulnerability may not have been, but the linked RCE vulnerability found by their friend https://kibty.town/blog/mintlify/ certainly would've been worth more than the $5,000 they were awarded.

A vulnerability like that (or even a slightly worse XSS that allowed serving js instead of only svg) could've let them register service workers to all visiting users giving future XSS ability at any time, even after the original RCE and XSS were patched.

▲

tptacek 15 hours ago | parent [-]

Maybe? I don't know enough about the vulnerability. Is it serverside? Then it isn't worth very much.

	▲	jrflowers 5 hours ago \| parent [-]
		>i quickly realised that this was the server-side serverless (lol) environment of their main documentation app, while this calls to a external api to do everything, we have the token it calls it with in the env. >alongside, we can poison the nextjs cache for everyone for any site, allowing mass xss, defacing, etc on any docs site.