Stored XSS in touch.mail.ru

This is my first public disclosure on HackerOne. It is a partial disclosure, but the summary is clear: there was a stored XSS in the image preview feature via crafted attachment filename.

#275274 – touch.mail.ru/messages – Stored XSS

07/10/2017 – I send the report
11/10/2017 – The vulnerability is fixed and the bug bounty reward is 750$
27/12/2017 – Public disclosure