The cross-site scripting bug reportedly earned the researcher a $5000 reward.