Imagine viewing the same chat logs, while logged in an admin interface, then it isn't self-XSS anymore.

Indeed, it appears that the limited scope meant the juicy stuff could not be tested. Like exfiltrating other users' data.

	▲	bangaladore 2 days ago \| parent [-]
		Which is stupid as those are the vulnerabilities worth determining if they exist. I can understand in a heavily regulated industry (e.g. Medical) that a company couldn't due to liability give you the go ahead to poke into other user's data in attempt to find a vulnerability, but they could always publish a dummy account detail that can be identified with fake data. Something like: It is strictly forbidden to probe arbitrary user data. However, if a vulnerability is suspected to allow access to user data, the user with GUID 'xyzw' is permitted to probe. Now you might say that won't help. The people who want to follow the rules probably will, and the people who don't want to won't anyways.