This is my first public disclosure on HackerOne. It is a partial disclosure, but the summary is clear: there was a stored XSS in the image preview feature via crafted attachment filename.
07/10/2017 – I send the report
11/10/2017 – The vulnerability is fixed and the bug bounty reward is 750$
27/12/2017 – Public disclosure