So, about 8 hours after we put up new markdown rendering engine, our call to find exploits was a complete success, and here is the new white-hat who found it.
Besides discovering a bug in the way that discount dealt with escaped quotes in certain places (with thanks to David Parsons of Discount for getting out a patch so quickly), we learned that we should probably set up some guidelines for how to report exploits to us. So, we created a wiki page on help.
For those of you who don't know the details of how the infamous worm spread on reddit 5 months ago, here's the short story: a bunch of white-hats created a reddit where they tried to create a proof-of-principle worm that would append itself as a reply to all of the comments in a given page. The whole thing was contained to a shared comment thread, and all of the testing was contained to that thread...until one of the users went to their inbox. You see, the replying JS is common in both areas, so an exploit that works on a comment thread works in your inbox. Your inbox, though, has, in principle, comments from all sorts of other comment threads from all over the site. The result was that the worm got out and was allowed to spread freely until we took down (and later patched) the markdown renderer.
The lesson and tldr: please don't post or test for exploits in any shared or public areas. PM us and then make sure your work is well hidden. Once the genie is out, it's hard for us to re-cork it.
