I discovered a private programme via google dork. It was a coding platform.
I found RCE and got a bounty for it. Soon after that I reported 2 XSS. But first of all I would like to say f*ck taxes.
#1 XSS :
After creating a profile there was a upload resume section.
I upload a pdf file from : https://github.com/luigigubello/PayloadsAllThePDFs/tree/main/pdf-payloads
Press enter or click to view image in full size
and achieved XSS. Reported and got paid for it.
#2 Input validation:
When I joined a challenge hosted on the website. In the team_name section I was restricted to 15 chars but when I used Burp I was able to inject fuck load of chars XD . Resulting in DoS
I demostrated a small impact and they agreed.