This is my first public disclosure on HackerOne. It is a partial disclosure, but the summary is clear: there was a stored XSS in the image preview feature via crafted attachment filename.

#275274 - touch.mail.ru/messages - Stored XSS

07/10/2017 - I send the report
11/10/2017 - The vulnerability is fixed and the bug bounty reward is 750$
27/12/2017 - Public disclosure